Nixpkgs Security Tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: xercesc

Found 1 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2024-23807
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months ago
Apache Xerces C++: Use-after-free on external DTD scan

The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable. This issue has been disclosed before as CVE-2018-1311, but unfortunately that advisory incorrectly stated the issue would be fixed in version 3.2.3 or 3.2.4.

References

Affected products

xerces-c
  • <3.2.5
Apache Xerces C++
  • <3.2.5

Matching in nixpkgs

pkgs.xercesc

Validating XML parser written in a portable subset of C++