CVE-2022-23308

Name
CVE-2022-23308
Description
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Release Notes https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS
Patch https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/
CONFIRM https://security.netapp.com/advisory/ntap-20220331-0008/
MLIST https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
CONFIRM https://support.apple.com/kb/HT213253
CONFIRM https://support.apple.com/kb/HT213255
CONFIRM https://support.apple.com/kb/HT213256
CONFIRM https://support.apple.com/kb/HT213257
CONFIRM https://support.apple.com/kb/HT213258
CONFIRM https://support.apple.com/kb/HT213254
Mailing List http://seclists.org/fulldisclosure/2022/May/33
Mailing List http://seclists.org/fulldisclosure/2022/May/35
Mailing List http://seclists.org/fulldisclosure/2022/May/34
Mailing List http://seclists.org/fulldisclosure/2022/May/37
Mailing List http://seclists.org/fulldisclosure/2022/May/36
Mailing List http://seclists.org/fulldisclosure/2022/May/38
Patch https://www.oracle.com/security-alerts/cpujul2022.html
Third Party Advisory https://security.gentoo.org/glsa/202210-03
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:* libxml2 >= None < 2.9.13

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
qt5-qtwebengine edge-community 5.15.11-r13 Bart Ribbers <bribbers@disroot.org> fixed
qt5-qtwebengine 3.22-community 5.15.11-r13 None fixed
qt5-qtwebengine 3.21-community 5.15.11-r13 None fixed
qt5-qtwebengine 3.20-community 5.15.11-r13 None fixed
qt5-qtwebengine 3.19-community 5.15.11-r13 None fixed
qt5-qtwebengine 3.18-community 5.15.11-r13 None fixed
qt5-qtwebengine 3.17-community 5.15.11-r12 Bart Ribbers <bribbers@disroot.org> fixed
libxml2.13 edge-main 2.9.13-r0 None fixed
libxml2 edge-main 2.9.13-r0 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
libxml2 edge-main 2.9.11-r0 None possibly vulnerable
libxml2 edge-main 2.9.10-r7 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.9.10-r5 None possibly vulnerable
libxml2 edge-main 2.9.10-r4 None possibly vulnerable
libxml2 edge-main 2.9.8-r3 None possibly vulnerable
libxml2 edge-main 2.9.8-r1 None possibly vulnerable
libxml2 edge-main 2.9.4-r4 None possibly vulnerable
libxml2 edge-main 2.9.4-r2 None possibly vulnerable
libxml2 edge-main 2.9.4-r1 None possibly vulnerable
libxml2 3.22-main 2.9.13-r0 None fixed
libxml2 3.22-main 2.9.11-r0 None possibly vulnerable
libxml2 3.22-main 2.9.10-r5 None possibly vulnerable
libxml2 3.22-main 2.9.10-r4 None possibly vulnerable
libxml2 3.22-main 2.9.8-r3 None possibly vulnerable
libxml2 3.22-main 2.9.8-r1 None possibly vulnerable
libxml2 3.22-main 2.9.4-r4 None possibly vulnerable
libxml2 3.22-main 2.9.4-r2 None possibly vulnerable
libxml2 3.22-main 2.9.4-r1 None possibly vulnerable
libxml2 3.21-main 2.9.13-r0 None fixed
libxml2 3.21-main 2.9.11-r0 None possibly vulnerable
libxml2 3.21-main 2.9.10-r5 None possibly vulnerable
libxml2 3.21-main 2.9.10-r4 None possibly vulnerable
libxml2 3.21-main 2.9.8-r3 None possibly vulnerable
libxml2 3.21-main 2.9.8-r1 None possibly vulnerable
libxml2 3.21-main 2.9.4-r4 None possibly vulnerable
libxml2 3.21-main 2.9.4-r2 None possibly vulnerable
libxml2 3.21-main 2.9.4-r1 None possibly vulnerable
libxml2 3.20-main 2.9.13-r0 None fixed
libxml2 3.20-main 2.9.11-r0 None possibly vulnerable
libxml2 3.20-main 2.9.10-r5 None possibly vulnerable
libxml2 3.20-main 2.9.10-r4 None possibly vulnerable
libxml2 3.20-main 2.9.8-r3 None possibly vulnerable
libxml2 3.20-main 2.9.8-r1 None possibly vulnerable
libxml2 3.20-main 2.9.4-r4 None possibly vulnerable
libxml2 3.20-main 2.9.4-r2 None possibly vulnerable
libxml2 3.20-main 2.9.4-r1 None possibly vulnerable
libxml2 3.19-main 2.9.13-r0 None fixed
libxml2 3.19-main 2.9.11-r0 None possibly vulnerable
libxml2 3.19-main 2.9.10-r5 None possibly vulnerable
libxml2 3.19-main 2.9.10-r4 None possibly vulnerable
libxml2 3.19-main 2.9.8-r3 None possibly vulnerable
libxml2 3.19-main 2.9.8-r1 None possibly vulnerable
libxml2 3.19-main 2.9.4-r4 None possibly vulnerable
libxml2 3.19-main 2.9.4-r2 None possibly vulnerable
libxml2 3.19-main 2.9.4-r1 None possibly vulnerable
libxml2 3.18-main 2.9.13-r0 None fixed
libxml2 3.17-main 2.9.13-r0 None fixed
libxml2 3.12-main 2.9.13-r0 Carlo Landmeter <clandmeter@gmail.com> fixed