CVE-2009-3560 (Medium) detected in expat-sys-2.1.6.crate #146
Description
CVE-2009-3560 - Medium Severity Vulnerability
Vulnerable Library - expat-sys-2.1.6.crate
XML parser library written in C
Library home page: https://crates.io/api/v1/crates/expat-sys/2.1.6/download
Dependency Hierarchy:
- amethyst-0.15.3.crate (Root Library)
- amethyst_ui-0.15.3.crate
- font-kit-0.5.0.crate
- servo-fontconfig-0.4.0.crate
- servo-fontconfig-sys-4.0.9.crate
- ❌ expat-sys-2.1.6.crate (Vulnerable Library)
- servo-fontconfig-sys-4.0.9.crate
- servo-fontconfig-0.4.0.crate
- font-kit-0.5.0.crate
- amethyst_ui-0.15.3.crate
Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911
Found in base branch: master
Vulnerability Details
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.
Publish Date: 2009-12-04
URL: CVE-2009-3560
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2009-12-04
Fix Resolution: R_2_2_0
Step up your Open Source Security Game with Mend here