CVE-2022-40303 — HIGH (7.5)

Q: How severe is CVE-2022-40303?

CVE-2022-40303 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-40303?

Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxml2, Netapp Active Iq Unified Manager, Netapp Clustered Data Ontap, Netapp Clustered Data Ontap Antivirus Connector, Netapp Netapp Manageability Sdk.

Vulnerability Description

An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Xmlsoft	Libxml2	< 2.10.3
Netapp	Active Iq Unified Manager	-
Netapp	Clustered Data Ontap	-
Netapp	Clustered Data Ontap Antivirus Connector	-
Netapp	Netapp Manageability Sdk	-
Netapp	Ontap Select Deploy Administration Utility	-
Netapp	Snapmanager	-
Apple	Ipados	< 15.7.2
Apple	Iphone Os	< 15.7.2
Apple	Macos	>= 11.0, < 11.7.2
Apple	Tvos	< 16.2
Apple	Watchos	< 9.2
Netapp	H300S Firmware	-
Netapp	H300S	-
Netapp	H500S Firmware	-
Netapp	H500S	-
Netapp	H700S Firmware	-
Netapp	H700S	-
Netapp	H410S Firmware	-
Netapp	H410S	-

Related Weaknesses (CWE)

CWE-190

References

http://seclists.org/fulldisclosure/2022/Dec/21Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/24Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/25Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/26Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/27
https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abcPatchThird Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3Release NotesThird Party Advisory
https://security.netapp.com/advisory/ntap-20221209-0003/Third Party Advisory
https://support.apple.com/kb/HT213531Third Party Advisory
https://support.apple.com/kb/HT213533Third Party Advisory
https://support.apple.com/kb/HT213534Third Party Advisory
https://support.apple.com/kb/HT213535Third Party Advisory
https://support.apple.com/kb/HT213536Third Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/21Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/24Mailing ListThird Party Advisory

FAQ

What is CVE-2022-40303?

CVE-2022-40303 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an at...

How severe is CVE-2022-40303?

CVE-2022-40303 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-40303?

Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxml2, Netapp Active Iq Unified Manager, Netapp Clustered Data Ontap, Netapp Clustered Data Ontap Antivirus Connector, Netapp Netapp Manageability Sdk.