CVE-2009-2416 — MEDIUM (6.5)

Q: How severe is CVE-2009-2416?

CVE-2009-2416 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2009-2416?

Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxml, Xmlsoft Libxml2, Fedoraproject Fedora, Debian Debian Linux, Redhat Enterprise Linux.

Vulnerability Description

Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Xmlsoft	Libxml	1.8.17
Xmlsoft	Libxml2	2.5.10
Fedoraproject	Fedora	10
Debian	Debian Linux	4.0
Redhat	Enterprise Linux	3.0
Canonical	Ubuntu Linux	6.06
Google	Chrome	< 2.0.172.43
Apple	Safari	< 4.0.4
Apple	Iphone Os	>= 2.0, < 4.0
Apple	Mac Os X	< 10.4.11
Apple	Mac Os X Server	< 10.4.11
Opensuse	Opensuse	>= 10.3, <= 11.1
Suse	Linux Enterprise	10.0
Suse	Linux Enterprise Server	9
Vmware	Vcenter Server	4.0
Vmware	Vma	4.0
Vmware	Esx	3.0.3
Vmware	Esxi	3.5
Sun	Openoffice.Org	>= 2.0.0, < 2.4.3

Related Weaknesses (CWE)

CWE-416

References

http://googlechromereleases.blogspot.com/2009/08/stable-update-security-fixes.htRelease Notes
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.htmlMailing List
http://lists.apple.com/archives/security-announce/2009/Nov/msg00001.htmlMailing List
http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.htmlMailing List
http://secunia.com/advisories/35036Broken Link
http://secunia.com/advisories/36207Broken Link
http://secunia.com/advisories/36338Broken Link
http://secunia.com/advisories/36417Broken Link
http://secunia.com/advisories/36631Broken Link
http://secunia.com/advisories/37346Broken Link
http://secunia.com/advisories/37471Broken Link
http://support.apple.com/kb/HT3937Third Party Advisory
http://support.apple.com/kb/HT3949Third Party Advisory
http://support.apple.com/kb/HT4225Third Party Advisory

FAQ

What is CVE-2009-2416?

CVE-2009-2416 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via...

How severe is CVE-2009-2416?

CVE-2009-2416 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2009-2416?

Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxml, Xmlsoft Libxml2, Fedoraproject Fedora, Debian Debian Linux, Redhat Enterprise Linux.