N/A

libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.

N/A

N/A

libxml2 权限许可和访问控制问题漏洞

libxml2是开源的一个用来解析XML文档的函数库。它用C语言写成，并且能为多种语言所调用，例如C语言，C++，XSH。 libxml2 2.9.1及之前版本中存在权限许可和访问控制问题漏洞。该漏洞源于程序没有正确地处理外部实体扩展。远程攻击者可借助恶意的XML文档利用该漏洞造成拒绝服务（资源消耗），向内网服务器发送HTTP请求，或读取任意文件。

N/A

N/A