CVE-2017-7375 — CRITICAL (9.8)

Q: How severe is CVE-2017-7375?

CVE-2017-7375 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2017-7375?

Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxml2, Debian Debian Linux, Google Android.

Vulnerability Description

A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Xmlsoft	Libxml2	<= 2.9.4
Debian	Debian Linux	7.0
Google	Android	4.4.4

Related Weaknesses (CWE)

CWE-611

References

http://www.securityfocus.com/bid/98877Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038623Third Party AdvisoryVDB Entry
https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad41PatchThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1462203Issue TrackingPatchThird Party Advisory
https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214aPatchThird Party Advisory
https://security.gentoo.org/glsa/201711-01Third Party Advisory
https://source.android.com/security/bulletin/2017-06-01PatchThird Party Advisory
https://www.debian.org/security/2017/dsa-3952Third Party Advisory
http://www.securityfocus.com/bid/98877Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038623Third Party AdvisoryVDB Entry
https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad41PatchThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1462203Issue TrackingPatchThird Party Advisory
https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214aPatchThird Party Advisory
https://security.gentoo.org/glsa/201711-01Third Party Advisory
https://source.android.com/security/bulletin/2017-06-01PatchThird Party Advisory

FAQ

What is CVE-2017-7375?

CVE-2017-7375 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD a...

How severe is CVE-2017-7375?

CVE-2017-7375 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-7375?

Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxml2, Debian Debian Linux, Google Android.