Vulnerability Description
The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable. This issue has been disclosed before as CVE-2018-1311, but unfortunately that advisory incorrectly stated the issue would be fixed in version 3.2.3 or 3.2.4.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Xerces-C\+\+ | >= 3.0.0, < 3.2.5 |
Related Weaknesses (CWE)
References
- https://github.com/apache/xerces-c/pull/54ExploitPatchThird Party Advisory
- https://lists.apache.org/thread/c497tgn864tsbm8w0bo3f0d81s07zk9rMailing ListPatchVendor Advisory
- https://github.com/apache/xerces-c/pull/54ExploitPatchThird Party Advisory
- https://lists.apache.org/thread/c497tgn864tsbm8w0bo3f0d81s07zk9rMailing ListPatchVendor Advisory
FAQ
What is CVE-2024-23807?
CVE-2024-23807 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Users are recommended to upgrade to version 3.2.5 which...
How severe is CVE-2024-23807?
CVE-2024-23807 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-23807?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Xerces-C\+\+.