Vulnerability CVE-2024-25062: Information

Description

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2024-25062

Published: Feb. 4, 2024

Modified: Feb. 13, 2024

Error type identifier: CWE-416

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
gem-nokogiri	sisyphus	1.16.2-alt1	1.16.4-alt1	ALT-PU-2024-2019-2	340134	Fixed
gem-nokogiri	sisyphus_e2k	1.16.2-alt1	1.16.2-alt1	ALT-PU-2024-6690-1	-	Fixed
gem-nokogiri	sisyphus_riscv64	1.16.2-alt1	1.16.2-alt1	ALT-PU-2024-3370-1	-	Fixed
gem-nokogiri	sisyphus_loongarch64	1.16.2-alt1	1.16.4-alt1	ALT-PU-2024-2138-1	-	Fixed
libxml2	sisyphus	2.12.5-alt1	2.12.6-alt1	ALT-PU-2024-3790-1	342268	Fixed
libxml2	sisyphus_e2k	2.12.5-alt1	2.12.6-alt1	ALT-PU-2024-3879-1	-	Fixed
libxml2	sisyphus_riscv64	2.12.5-alt1	2.12.6-alt1	ALT-PU-2024-4009-1	-	Fixed
libxml2	sisyphus_loongarch64	2.12.5-alt1	2.12.6-alt1	ALT-PU-2024-3824-1	-	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://gitlab.gnome.org/GNOME/libxml2/-/tags	Release Notes
https://gitlab.gnome.org/GNOME/libxml2/-/issues/604	Exploit Issue Tracking

Affected configurations:
1. Configuration 1
  cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*
  Start including
  2.12.0
  End excliding
  2.12.5
  cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*
  End excliding
  2.11.7

Version: v24.5.1

Vulnerability CVE-2024-25062: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1