CVE-2013-0340 (Medium) detected in expat-sys-2.1.6.crate #159
Description
CVE-2013-0340 - Medium Severity Vulnerability
Vulnerable Library - expat-sys-2.1.6.crate
XML parser library written in C
Library home page: https://crates.io/api/v1/crates/expat-sys/2.1.6/download
Dependency Hierarchy:
- amethyst-0.15.3.crate (Root Library)
- amethyst_ui-0.15.3.crate
- font-kit-0.5.0.crate
- servo-fontconfig-0.4.0.crate
- servo-fontconfig-sys-4.0.9.crate
- ❌ expat-sys-2.1.6.crate (Vulnerable Library)
- servo-fontconfig-sys-4.0.9.crate
- servo-fontconfig-0.4.0.crate
- font-kit-0.5.0.crate
- amethyst_ui-0.15.3.crate
Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911
Found in base branch: master
Vulnerability Details
expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
Publish Date: 2014-01-21
URL: CVE-2013-0340
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-0340
Release Date: 2014-01-21
Fix Resolution: ROOTMAP.Dependencies - 0.1.4;expat.v141 - 2.1.0.4;expat.v142 - 2.2.7
Step up your Open Source Security Game with Mend here