CVE-2009-3720

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 03-11-2009 05:30

Last modified: - 14-11-2022 04:04

Total changes: - 7

Description

The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.

Common Vulnerability Scoring System (CVSS)

AV:N/AC:L/Au:N/C:N/I:N/A:P

Low

Attack complexity

Network

Attack vector

Low

Availability

None

Confidentiality

None

Integrity

Privileges required

Scope

User interaction

5.0

Base score

10.0

2.9

Exploitability score

Impact score

Verification logic

Reference

[oss-security] 20090826 Re: Re: expat bug 1990430-
https://bugs.gentoo.org/show_bug.cgi?id=280615
[oss-security] 20090821 expat bug 1990430-
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch
[expat-bugs] 20090117 [ expat-Bugs-1990430 ] Parser crash with specially formatted UTF-8 sequences-
[oss-security] 20091022 Re: Re: Regarding expat bug 1990430-
http://sourceforge.net/tracker/index.php?func=detail&aid=1990430&group_id=10127&atid=110127
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log
[oss-security] 20091026 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]-
[oss-security] 20090827 Re: Re: expat bug 1990430-
[oss-security] 20090906 Re: Re: expat bug 1990430-
[oss-security] 20090826 Re: expat bug 1990430-
http://svn.python.org/view?view=rev&revision=74429
[oss-security] 20091023 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]-
[oss-security] 20091022 Re: Regarding expat bug 1990430-
[oss-security] 20091028 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]-
[oss-security] 20091022 Regarding expat bug 1990430-
MDVSA-2009:211-
MDVSA-2009:217-
MDVSA-2009:218-
MDVSA-2009:215-
SUSE-SR:2009:018-
MDVSA-2009:212-
MDVSA-2009:220-
MDVSA-2009:216-
https://bugzilla.redhat.com/show_bug.cgi?id=531697
FEDORA-2009-12737-
37324-
MDVSA-2009:219-
FEDORA-2009-12690-
37537-
1023160-
273630-
FEDORA-2009-12753-
37925-
USN-890-1-
38231-
38834-
ADV-2010-0528-
38794-
38832-
[security-announce] 20100303 VMSA-2010-0004 ESX Service Console and vMA third party updates-
USN-890-6-
39478-
ADV-2010-0896-
ADV-2010-1107-
SUSE-SR:2010:011-
SUSE-SR:2010:012-
38050-
RHSA-2010:0002-
SUSE-SR:2010:013-
SUSE-SR:2010:014-
41701-
ADV-2011-0359-
43300-
SSA:2011-041-02-
RHSA-2011:0896-
FEDORA-2010-17720-
42326-
FEDORA-2010-17762-
ADV-2010-3061-
ADV-2010-3053-
ADV-2010-3035-
FEDORA-2010-17819-
42338-
FEDORA-2010-17807-
FEDORA-2010-17732-
HPSBUX02645-
oval:org.mitre.oval:def:7112-
oval:org.mitre.oval:def:12719-
oval:org.mitre.oval:def:11019-
[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20210330 svn commit: r1888194 [6/13] - /httpd/site/trunk/content/security/json/-
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/-
[httpd-cvs] 20210603 svn commit: r1075360 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/-
[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/-
[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20210330 svn commit: r1073149 [7/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/-
[httpd-cvs] 20210603 svn commit: r1075360 [1/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20210330 svn commit: r1073139 [6/13] - in /websites/staging/httpd/trunk/content: ./ security/json/-
[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20210606 svn commit: r1075467 [1/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-

Keywords

CVE-2009-3720

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2009-3720

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures