IM
IronMonkey Threat Research

CVE-2020-24977 MEDIUM

Published: 2020-09-04 | Last Modified: 2024-11-21 | Status: Modified

Description

GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.

Additional Descriptions (1)

El proyecto de GNOME libxml2 v2.9.10 tiene una vulnerabilidad de sobre lectura del buffer global en xmlEncodeEntitiesInternal en libxml2/entities.c. El problema ha sido corregido en el commit 50f06b3e

CVSS Metrics

Base Score: 6.5 (MEDIUM)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactLOW
Integrity ImpactNONE
Availability ImpactLOW

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 2.5

Base Score: 6.4 (MEDIUM)

AV:N/AC:L/Au:N/C:P/I:N/A:P

Access VectorNETWORK
Access ComplexityLOW
AuthenticationNONE
Confidentiality ImpactPARTIAL
Integrity ImpactNONE
Availability ImpactPARTIAL

Source: [email protected]

Type: Primary

Exploitability Score: 10.0

Impact Score: 4.9

Weaknesses

Source Type Description
[email protected] Primary
en CWE-125

Affected Products

Vendor Product Version Update Type
xmlsoft libxml2 2.9.10 <built-in method update of dict object at 0x72a9cc660300> Application
debian debian_linux 9.0 <built-in method update of dict object at 0x72a9cc660840> Operating System
fedoraproject fedora 31 <built-in method update of dict object at 0x72a9cc661c80> Operating System
fedoraproject fedora 32 <built-in method update of dict object at 0x72a9cc81a4c0> Operating System
fedoraproject fedora 33 <built-in method update of dict object at 0x72a9cc819c80> Operating System
opensuse leap 15.1 <built-in method update of dict object at 0x72a9cc81a080> Operating System
opensuse leap 15.2 <built-in method update of dict object at 0x72a9cc81b8c0> Operating System
netapp active_iq_unified_manager * <built-in method update of dict object at 0x72a9cc81a9c0> Application
netapp active_iq_unified_manager * <built-in method update of dict object at 0x72a9cc819b80> Application
netapp clustered_data_ontap - <built-in method update of dict object at 0x72a9cc81a480> Application
netapp clustered_data_ontap_antivirus_connector - <built-in method update of dict object at 0x72a9cd08c240> Application
netapp inventory_collect_tool - <built-in method update of dict object at 0x72a9cc660600> Application
netapp manageability_software_development_kit - <built-in method update of dict object at 0x72a9cd08e4c0> Application
netapp snapdrive - <built-in method update of dict object at 0x72a9cc660540> Application
netapp snapdrive - <built-in method update of dict object at 0x72a9cc662100> Application
netapp hci_h410c_firmware - <built-in method update of dict object at 0x72a9cd08c600> Operating System
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0 <built-in method update of dict object at 0x72a9cc660a00> Application
oracle enterprise_manager_base_platform 13.4.0.0 <built-in method update of dict object at 0x72a9cc81a640> Application
oracle enterprise_manager_base_platform 13.5.0.0 <built-in method update of dict object at 0x72a9b0e0f1c0> Application
oracle enterprise_manager_ops_center 12.4.0.0 <built-in method update of dict object at 0x72a9cc81b480> Application
oracle http_server 12.2.1.3.0 <built-in method update of dict object at 0x72a9cc81a780> Application
oracle http_server 12.2.1.4.0 <built-in method update of dict object at 0x72a9cc661a40> Application
oracle mysql_workbench * <built-in method update of dict object at 0x72a9cd08f200> Application
oracle peoplesoft_enterprise_peopletools 8.58 <built-in method update of dict object at 0x72a9cc81ae40> Application
oracle real_user_experience_insight 13.4.1.0 <built-in method update of dict object at 0x72a9cc874240> Application
oracle real_user_experience_insight 13.5.1.0 <built-in method update of dict object at 0x72a9cd08e600> Application

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:xmlsoft:libxml2:2.9.10:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Yes cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Yes cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Yes cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
Yes cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
Yes cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
Yes cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*
Yes cpe:2.3:a:netapp:inventory_collect_tool:-:*:*:*:*:*:*:*
Yes cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*
Yes cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*
Yes cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:netapp:hci_h410c_firmware:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:netapp:hci_h410c:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*
Yes cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
Yes cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*
Yes cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*

References

Notification
Message here