CVE-2024-40896

Name
CVE-2024-40896
Description
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
cve@mitre.org https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6
cve@mitre.org https://gitlab.gnome.org/GNOME/libxml2/-/issues/761
af854a3a-2127-422b-91ae-364da2661108 https://security.netapp.com/advisory/ntap-20250228-0004/

Match rules

CPE URI Source package Min version Max version
libxml2 >= 2.11.0 < 2.11.9
libxml2 >= 2.12.0 < 2.12.9
libxml2 >= 2.13.0 < 2.13.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
libxml2 edge-main 2.12.8-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.12.7-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.12.6-r2 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.12.6-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.12.5-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.12.4-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.12.3-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.11.6-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.11.5-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.11.4-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.11.3-r1 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.11.3-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.11.2-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.11.1-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.11.0-r3 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.11.0-r2 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.11.0-r1 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 edge-main 2.11.0-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 3.22-main 2.12.7-r0 None possibly vulnerable
libxml2 3.22-main 2.12.5-r0 None possibly vulnerable
libxml2 3.21-main 2.12.7-r0 None possibly vulnerable
libxml2 3.21-main 2.12.5-r0 None possibly vulnerable
libxml2 3.20-main 2.12.7-r3 None possibly vulnerable
libxml2 3.20-main 2.12.7-r2 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 3.20-main 2.12.7-r1 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 3.20-main 2.12.7-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 3.20-main 2.12.5-r0 None possibly vulnerable
libxml2 3.19-main 2.11.8-r3 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 3.19-main 2.11.8-r2 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 3.19-main 2.11.8-r1 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 3.19-main 2.11.8-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 3.19-main 2.11.7-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
libxml2 3.19-main 2.11.6-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable