CVE-2017-9233 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2017-9233?

CVE-2017-9233 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-9233?

Check the references section above for vendor advisories and patch information. Affected products include: Libexpat Project Libexpat, Python Python, Debian Debian Linux.

Vulnerability Description

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libexpat Project	Libexpat	<= 2.2.0
Python	Python	>= 2.7.0, < 2.7.15
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-835 CWE-611

References

http://www.debian.org/security/2017/dsa-3898Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/06/17/7Mailing ListVDB Entry
http://www.securityfocus.com/bid/99276Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1039427Third Party AdvisoryVDB Entry
https://github.com/libexpat/libexpat/blob/master/expat/ChangesRelease NotesThird Party Advisory
https://libexpat.github.io/doc/cve-2017-9233/ExploitTechnical DescriptionVendor Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e3
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8
https://support.apple.com/HT208112Third Party Advisory
https://support.apple.com/HT208113Third Party Advisory
https://support.apple.com/HT208115Third Party Advisory
https://support.apple.com/HT208144Third Party Advisory
https://support.f5.com/csp/article/K03244804Third Party Advisory
http://www.debian.org/security/2017/dsa-3898Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/06/17/7Mailing ListVDB Entry

FAQ

What is CVE-2017-9233?

CVE-2017-9233 is a vulnerability with a CVSS score of 7.5 (HIGH). XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an e...

How severe is CVE-2017-9233?

CVE-2017-9233 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-9233?

Check the references section above for vendor advisories and patch information. Affected products include: Libexpat Project Libexpat, Python Python, Debian Debian Linux.