CVE-2022-40304 — HIGH (7.8)

Q: How severe is CVE-2022-40304?

CVE-2022-40304 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-40304?

Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxml2, Netapp Active Iq Unified Manager, Netapp Clustered Data Ontap, Netapp Clustered Data Ontap Antivirus Connector, Netapp Manageability Software Development Kit.

Vulnerability Description

An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Xmlsoft	Libxml2	< 2.10.3
Netapp	Active Iq Unified Manager	-
Netapp	Clustered Data Ontap	-
Netapp	Clustered Data Ontap Antivirus Connector	-
Netapp	Manageability Software Development Kit	-
Netapp	Smi-S Provider	-
Netapp	Snapmanager	-
Netapp	H300S Firmware	-
Netapp	H300S	-
Netapp	H500S Firmware	-
Netapp	H500S	-
Netapp	H700S Firmware	-
Netapp	H700S	-
Netapp	H410S Firmware	-
Netapp	H410S	-
Netapp	H410C Firmware	-
Netapp	H410C	-
Apple	Ipados	< 15.7.2
Apple	Iphone Os	< 15.7.2
Apple	Macos	>= 11.0, < 11.7.2

Related Weaknesses (CWE)

CWE-415

References

http://seclists.org/fulldisclosure/2022/Dec/21Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/24Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/25Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/26Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/27
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c5PatchThird Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/-/tagsRelease NotesThird Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3PatchRelease NotesThird Party Advisory
https://security.netapp.com/advisory/ntap-20221209-0003/Third Party Advisory
https://support.apple.com/kb/HT213531Third Party Advisory
https://support.apple.com/kb/HT213533Third Party Advisory
https://support.apple.com/kb/HT213534Third Party Advisory
https://support.apple.com/kb/HT213535Third Party Advisory
https://support.apple.com/kb/HT213536Third Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/21Mailing ListThird Party Advisory

FAQ

What is CVE-2022-40304?

CVE-2022-40304 is a vulnerability with a CVSS score of 7.8 (HIGH). An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be...

How severe is CVE-2022-40304?

CVE-2022-40304 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-40304?

Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxml2, Netapp Active Iq Unified Manager, Netapp Clustered Data Ontap, Netapp Clustered Data Ontap Antivirus Connector, Netapp Manageability Software Development Kit.