CVE-2024-28757 — HIGH (7.5)

Q: What is CVE-2024-28757?

CVE-2024-28757 is a vulnerability with a CVSS score of 7.5 (HIGH). libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

Q: How severe is CVE-2024-28757?

CVE-2024-28757 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-28757?

Check the references section above for vendor advisories and patch information. Affected products include: Libexpat Project Libexpat, Fedoraproject Fedora, Netapp Active Iq Unified Manager, Netapp Oncommand Workflow Automation, Netapp Ontap.

Vulnerability Description

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libexpat Project	Libexpat	< 2.6.2
Fedoraproject	Fedora	38
Netapp	Active Iq Unified Manager	-
Netapp	Oncommand Workflow Automation	-
Netapp	Ontap	9
Netapp	Ontap Tools	10
Netapp	Windows Host Utilities	-
Netapp	H300S Firmware	-
Netapp	H300S	-
Netapp	H500S Firmware	-
Netapp	H500S	-
Netapp	H700S Firmware	-
Netapp	H700S	-
Netapp	H410S Firmware	-
Netapp	H410S	-
Netapp	H410C Firmware	-
Netapp	H410C	-
Netapp	H610C Firmware	-
Netapp	H610C	-
Netapp	H610S Firmware	-

Related Weaknesses (CWE)

CWE-776

References

http://www.openwall.com/lists/oss-security/2024/03/15/1Mailing ListPatchRelease Notes
https://github.com/libexpat/libexpat/issues/839ExploitIssue TrackingPatch
https://github.com/libexpat/libexpat/pull/842Issue TrackingPatch
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://security.netapp.com/advisory/ntap-20240322-0001/Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/15/1Mailing ListPatchRelease Notes
https://github.com/libexpat/libexpat/issues/839ExploitIssue TrackingPatch
https://github.com/libexpat/libexpat/pull/842Issue TrackingPatch
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://lists.fedoraproject.org/archives/list/[email protected]
https://lists.fedoraproject.org/archives/list/[email protected]

FAQ

What is CVE-2024-28757?

CVE-2024-28757 is a vulnerability with a CVSS score of 7.5 (HIGH). libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

How severe is CVE-2024-28757?

CVE-2024-28757 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-28757?

Check the references section above for vendor advisories and patch information. Affected products include: Libexpat Project Libexpat, Fedoraproject Fedora, Netapp Active Iq Unified Manager, Netapp Oncommand Workflow Automation, Netapp Ontap.