CVE-2013-0340 (Medium) detected in src-73.0.3635.0

[mend-bolt-for-github]

CVE-2013-0340 - Medium Severity Vulnerability

Vulnerable Library - src73.0.3635.0

Library home page: https://chromium.googlesource.com/chromium/src

Found in HEAD commit: d3e1a03ce36b1bbe510f69661f310781c58b3612

Library Source Files (51)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/expat_external.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xpathInternals.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/catalog.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/SAX.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/encoding.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xmlwriter.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/pattern.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/schematron.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/c14n.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/xinclude.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/dict.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xmlmemory.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/webp/encode.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/webp/mux.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/expat.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/webp/demux.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/parserInternals.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/xmlschemas.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xmlregexp.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/parser.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/webp/mux_types.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/schemasInternals.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/relaxng.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/webp/types.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/xmlmodule.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/nanohttp.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xmlsave.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/xmlunicode.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xmlschemastypes.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/DOCBparser.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/hash.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/xmlstring.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/SAX2.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libpng16/pngconf.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/uri.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xmlIO.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/valid.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/debugXML.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/xpointer.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/chvalid.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/threads.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/HTMLparser.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/xmlreader.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libpng16/png.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/HTMLtree.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xmlautomata.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/nanoftp.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/xlink.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/xmlerror.h
• /webpack-mpa-next/node_modules/sharp/vendor/include/libxml2/libxml/xpath.h
• /webpack-mpa-next/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/list.h

Vulnerability Details

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

Publish Date: 2014-01-21

URL: CVE-2013-0340

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/201701-21

Release Date: 2017-01-11

Fix Resolution: All Expat users should upgrade to the latest version >= expat-2.2.0-r1

---

Step up your Open Source Security Game with WhiteSource here