CVE-2008-4409 : libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dep

libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281.

Published 2008-10-03 17:41:41

Updated 2017-08-08 01:32:37

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Exploit prediction scoring system (EPSS) score for CVE-2008-4409

Probability of exploitation activity in the next 30 days: 3.41%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 91 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2008-4409

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2008-4409

CWE-399

Assigned by: nvd@nist.gov (Primary)

Vendor statements for CVE-2008-4409

Red Hat 2017-08-07

Not vulnerable. This issue did not affect the versions of libxml2 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

References for CVE-2008-4409

http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html

CVEs referencing this url
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00130.html
http://openwall.com/lists/oss-security/2008/10/02/4
http://support.apple.com/kb/HT3613

About the security content of Safari 4.0 - Apple Support

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html

CVEs referencing this url
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00125.html
http://security.gentoo.org/glsa/glsa-200812-06.xml

libxml2: Multiple vulnerabilities (GLSA 200812-06) — Gentoo security

CVEs referencing this url
http://bugzilla.gnome.org/show_bug.cgi?id=554660

Exploit
http://www.vupen.com/english/advisories/2009/1522

Webmail: access your OVH emails on ovhcloud.com | OVHcloud

CVEs referencing this url
http://www.mandriva.com/security/advisories?name=MDVSA-2008:212
http://www.securityfocus.com/bid/31555
http://www.vupen.com/english/advisories/2009/1621

Webmail: access your OVH emails on ovhcloud.com | OVHcloud

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/45633
http://support.apple.com/kb/HT3639

About the security content of iOS 3.0 Software Update - Apple Support

CVEs referencing this url

Products affected by CVE-2008-4409