Vulnerability Details : CVE-2011-1755
jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Vulnerability category: Denial of service
Exploit prediction scoring system (EPSS) score for CVE-2011-1755
Probability of exploitation activity in the next 30 days: 8.13%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 94 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2011-1755
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2011-1755
-
Assigned by: nvd@nist.gov (Primary)
-
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-1755
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061458.html
[SECURITY] Fedora 14 Update: jabberd-2.2.14-1.fc14Mailing List
-
http://secunia.com/advisories/44957
Sign inBroken Link
-
http://www.redhat.com/support/errata/RHSA-2011-0882.html
SupportBroken Link
-
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
Apple - Lists.apple.comMailing List
-
http://secunia.com/advisories/44787
Sign inBroken Link;Vendor Advisory
-
https://hermes.opensuse.org/messages/9197650
openSUSE.org - 503Broken Link
-
http://secunia.com/advisories/45112
Sign inBroken Link
-
http://codex.xiaoka.com/svn/jabberd2/tags/jabberd-2.2.14/ChangeLog
Broken Link
-
http://www.securityfocus.com/bid/48250
jabberd XML Parsing Denial of Service VulnerabilityBroken Link;Third Party Advisory;VDB Entry
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/67770
jabberd XML entity denial of service CVE-2011-1755 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www.mail-archive.com/jabberd2@lists.xiaoka.com/msg01655.html
jabberd-2.2.14 releasePatch
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061482.html
[SECURITY] Fedora 13 Update: jabberd-2.2.11-4.fc13Mailing List
-
https://bugzilla.redhat.com/show_bug.cgi?id=700390
700390 – (CVE-2011-1755) CVE-2011-1755 jabberd: DoS via the XML "billion laughs attack"Issue Tracking;Patch
-
http://www.redhat.com/support/errata/RHSA-2011-0881.html
SupportBroken Link
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061341.html
[SECURITY] Fedora 15 Update: jabberd-2.2.14-1.fc15Mailing List
-
http://www.mail-archive.com/jabberd2%40lists.xiaoka.com/msg01655.html
jabberd-2.2.14 releaseRelease Notes
-
http://support.apple.com/kb/HT5002
About the security content of OS X Lion v10.7.2 and Security Update 2011-006 - Apple SupportThird Party Advisory
Products affected by CVE-2011-1755
- cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:14:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:13:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:15:*:*:*:*:*:*:*
- cpe:2.3:a:jabberd2:jabberd2:*:*:*:*:*:*:*:*