Vulnerability Description
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xmlsoft | Libxml2 | >= 2.11.0, < 2.11.9 |
| Netapp | Hci Compute Node | - |
| Netapp | Solidfire \& Hci Management Node | - |
| Netapp | Solidfire \& Hci Storage Node | - |
| Netapp | H300S Firmware | - |
| Netapp | H300S | - |
| Netapp | H410S Firmware | - |
| Netapp | H410S | - |
| Netapp | H500S Firmware | - |
| Netapp | H500S | - |
| Netapp | H700S Firmware | - |
| Netapp | H700S | - |
| Netapp | H410C Firmware | - |
| Netapp | H410C | - |
Related Weaknesses (CWE)
References
- https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081cIssue Tracking
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/761Issue Tracking
- https://security.netapp.com/advisory/ntap-20250228-0004/Third Party Advisory
FAQ
What is CVE-2024-40896?
CVE-2024-40896 is a vulnerability with a CVSS score of 9.1 (CRITICAL). In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by settin...
How severe is CVE-2024-40896?
CVE-2024-40896 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-40896?
Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxml2, Netapp Hci Compute Node, Netapp Solidfire \& Hci Management Node, Netapp Solidfire \& Hci Storage Node, Netapp H300S Firmware.