Vulnerability Details CVE-2015-3451
The _clone function in XML::LibXML before 2.0119 does not properly set the expand_entities option, which allows remote attackers to conduct XML external entity (XXE) attacks via crafted XML data to the (1) new or (2) load_xml function.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.034
EPSS Ranking 86.8%
CVSS Severity
CVSS v2 Score 5.0
References
- http://advisories.mageia.org/MGASA-2015-0199.html
- http://cpansearch.perl.org/src/SHLOMIF/XML-LibXML-2.0119/Changes
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157448.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157740.html
- http://lists.opensuse.org/opensuse-updates/2015-09/msg00006.html
- http://www.debian.org/security/2015/dsa-3243
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:231
- http://www.openwall.com/lists/oss-security/2015/04/25/2
- http://www.openwall.com/lists/oss-security/2015/04/30/1
- http://www.securityfocus.com/bid/74333
- http://www.ubuntu.com/usn/USN-2592-1
- https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30/raw/
- http://advisories.mageia.org/MGASA-2015-0199.html
- http://cpansearch.perl.org/src/SHLOMIF/XML-LibXML-2.0119/Changes
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157448.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157740.html
- http://lists.opensuse.org/opensuse-updates/2015-09/msg00006.html
- http://www.debian.org/security/2015/dsa-3243
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:231
- http://www.openwall.com/lists/oss-security/2015/04/25/2
- http://www.openwall.com/lists/oss-security/2015/04/30/1
- http://www.securityfocus.com/bid/74333
- http://www.ubuntu.com/usn/USN-2592-1
- https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30/raw/
Products affected by CVE-2015-3451
-
cpe:2.3:a:xml-libxml_project:xml-libxml:0.91
-
cpe:2.3:a:xml-libxml_project:xml-libxml:0.92
-
cpe:2.3:a:xml-libxml_project:xml-libxml:0.96
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.30
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.40
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.70
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.71
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.72
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.73
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.74
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.75
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.76
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.77
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.78
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.79
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.80
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.81
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.82
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.83
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.84
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.85
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.86
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.87
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.88
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.89
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.90
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.91
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.92
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.93
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.94
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.95
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.96
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.97
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.98
-
cpe:2.3:a:xml-libxml_project:xml-libxml:1.99
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0000
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0001
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0002
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0003
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0004
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0005
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0006
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0007
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0008
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0009
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0010
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0011
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0012
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0015
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0016
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0017
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0018
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0019
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0100
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0101
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0102
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0103
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0104
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0105
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0106
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0107
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0108
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0109
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0110
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0111
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0112
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0113
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0114
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0115
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0116
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0117
-
cpe:2.3:a:xml-libxml_project:xml-libxml:2.0118
-
cpe:2.3:o:canonical:ubuntu_linux:12.04
-
cpe:2.3:o:canonical:ubuntu_linux:14.04
-
cpe:2.3:o:canonical:ubuntu_linux:14.10
-
cpe:2.3:o:canonical:ubuntu_linux:15.04
-
cpe:2.3:o:debian:debian_linux:7.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:fedoraproject:fedora:20
-
cpe:2.3:o:fedoraproject:fedora:21
-
cpe:2.3:o:opensuse:opensuse:13.1
-
cpe:2.3:o:opensuse:opensuse:13.2