Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2013-0340

Disclosure Date: January 21, 2014 •

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

References

Canonical

CVE-2013-0340 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0340)

BID-58233 (http://www.securityfocus.com/bid/58233)

Advisory

[oss-security] 20130221 CVEs for libxml2 and expat internal and external XML entity expansion (http://openwall.com/lists/oss-security/2013/02/22/3)

[oss-security] 20130413 Re-evaluating expat/libxml2 CVE assignments (http://www.openwall.com/lists/oss-security/2013/04/12/6)

OSVDB-90634 (http://www.osvdb.org/90634)

SECTRACK-1028213 (http://securitytracker.com/id?1028213)

GLSA-201701-21 (https://security.gentoo.org/glsa/201701-21)

https://support.apple.com/kb/HT212819

https://support.apple.com/kb/HT212814

https://support.apple.com/kb/HT212815

https://support.apple.com/kb/HT212805

https://support.apple.com/kb/HT212804

https://support.apple.com/kb/HT212807

20210921 APPLE-SA-2021-09-20-1 iOS 15 and iPadOS 15 (http://seclists.org/fulldisclosure/2021/Sep/33)

20210921 APPLE-SA-2021-09-20-2 watchOS 8 (http://seclists.org/fulldisclosure/2021/Sep/34)

20210921 APPLE-SA-2021-09-20-8 Additional information for APPLE-SA-2021-09-13-4 Security Update 2021-005 Catalina (http://seclists.org/fulldisclosure/2021/Sep/40)

20210921 APPLE-SA-2021-09-20-3 tvOS 15 (http://seclists.org/fulldisclosure/2021/Sep/35)

20210921 APPLE-SA-2021-09-20-6 Additional information for APPLE-SA-2021-09-13-1 iOS 14.8 and iPadOS 14.8 (http://seclists.org/fulldisclosure/2021/Sep/38)

20210921 APPLE-SA-2021-09-20-7 Additional information for APPLE-SA-2021-09-13-3 macOS Big Sur 11.6 (http://seclists.org/fulldisclosure/2021/Sep/39)

[announce] 20211007 CVE-2021-40439: Apache OpenOffice: Billion Laughs (https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d@%3Cannounce.apache.org%3E)

[openoffice-users] 20211007 CVE-2021-40439: Apache OpenOffice: Billion Laughs (https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702@%3Cusers.openoffice.apache.org%3E)

[oss-security] 20211007 CVE-2021-40439: Apache OpenOffice: Billion Laughs (http://www.openwall.com/lists/oss-security/2021/10/07/4)

20211027 APPLE-SA-2021-10-26-10 Additional information for APPLE-SA-2021-09-20-2 watchOS 8 (http://seclists.org/fulldisclosure/2021/Oct/62)

20211027 APPLE-SA-2021-10-26-11 Additional information for APPLE-SA-2021-09-20-3 tvOS 15 (http://seclists.org/fulldisclosure/2021/Oct/63)

20211027 APPLE-SA-2021-10-26-9 Additional information for APPLE-SA-2021-09-20-1 iOS 15 and iPadOS 15 (http://seclists.org/fulldisclosure/2021/Oct/61)

Miscellaneous

https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702%40%3Cusers.openoffice.apache.org%3E

Rapid7

Technical Analysis