File tree Expand file tree Collapse file tree 1 file changed +33
-0
lines changed
advisories/hackage/xml-conduit Expand file tree Collapse file tree 1 file changed +33
-0
lines changed Original file line number Diff line number Diff line change 1+ ``` toml
2+ [advisory ]
3+ id = " HSEC-2023-0004"
4+ cwe = [776 ]
5+ keywords = [" xml" " dos"
6+ aliases = [" CVE-2021-4249" " VDB-216204"
7+
8+ [[affected ]]
9+ package = " xml-conduit"
10+ cvss = " CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
11+
12+ [[affected .versions ]]
13+ introduced = " 0.5.0"
14+ fixed = " 1.9.1.0"
15+
16+ [[references ]]
17+ type = " FIX"
18+ url = " https://github.com/snoyberg/xml/pull/161"
19+ [[references ]]
20+ type = " FIX"
21+ url = " https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea"
22+ ```
23+
24+ # xml-conduit unbounded entity expansion
25+
26+ A vulnerability was found in * xml-conduit* . It has been classified
27+ as problematic. Affected is an unknown function of the file
28+ ` xml-conduit/src/Text/XML/Stream/Parse.hs ` of the component DOCTYPE
29+ Entity Expansion Handler. The manipulation leads to infinite loop.
30+ It is possible to launch the attack remotely. Upgrading to version
31+ 1.9.1.0 is able to address this issue. The name of the patch is
32+ ` 4be1021791dcdee8b164d239433a2043dc0939ea ` . It is recommended to
33+ upgrade the affected component.
You can’t perform that action at this time.
0 commit comments