CVE-2018-20843 — HIGH (7.5)

Q: How severe is CVE-2018-20843?

CVE-2018-20843 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-20843?

Check the references section above for vendor advisories and patch information. Affected products include: Libexpat Project Libexpat, Canonical Ubuntu Linux, Debian Debian Linux, Fedoraproject Fedora, Opensuse Leap.

Vulnerability Description

In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libexpat Project	Libexpat	< 2.2.7
Canonical	Ubuntu Linux	12.04
Debian	Debian Linux	8.0
Fedoraproject	Fedora	29
Opensuse	Leap	15.0
Oracle	Hospitality Res 3700	>= 5.7, <= 5.7.6
Oracle	Http Server	12.1.3.0
Oracle	Outside In Technology	8.5.4
Tenable	Nessus	< 8.15.0

Related Weaknesses (CWE)

CWE-611

References

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00039.htmlMailing ListThird Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226Issue TrackingThird Party Advisory
https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/ChangesRelease NotesThird Party Advisory
https://github.com/libexpat/libexpat/issues/186Issue TrackingPatchThird Party Advisory
https://github.com/libexpat/libexpat/pull/262ExploitPatchThird Party Advisory
https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/06/msg00028.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2019/Jun/39Mailing ListThird Party Advisory
https://security.gentoo.org/glsa/201911-08Third Party Advisory
https://security.netapp.com/advisory/ntap-20190703-0001/Third Party Advisory
https://support.f5.com/csp/article/K51011533Third Party Advisory
https://usn.ubuntu.com/4040-1/Third Party Advisory
https://usn.ubuntu.com/4040-2/Third Party Advisory

FAQ

What is CVE-2018-20843?

CVE-2018-20843 is a vulnerability with a CVSS score of 7.5 (HIGH). In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough...

How severe is CVE-2018-20843?

CVE-2018-20843 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-20843?

Check the references section above for vendor advisories and patch information. Affected products include: Libexpat Project Libexpat, Canonical Ubuntu Linux, Debian Debian Linux, Fedoraproject Fedora, Opensuse Leap.