CVE-2013-0340 - 漏洞详情

CVE-2013-0340 (CNNVD-201303-096)

MEDIUM

中文标题:

Expat 代码问题漏洞

英文标题:

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer ...

CVSS分数: 6.8

发布时间: 2014-01-21 18:00:00

漏洞类型: 代码问题

状态: PUBLISHED

数据质量分数: 0.30

数据版本: v3

漏洞描述

中文描述:

Expat是一款使用C语言编写的快速流式XML解析器。 Expat 2.1.0及之前的版本中存在代码问题漏洞。当程序处理XML Internal Entities扩展时，远程攻击者可借助恶意的XML文档利用该漏洞造成拒绝服务（资源消耗），向内网服务器发送HTTP请求，或读取任意文件。

英文描述:

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

CWE类型:

CWE-611

标签:

（暂无数据）

受影响产品

厂商	产品	版本	版本范围	平台	CPE
libexpat_project	libexpat	*	-	-	`cpe:2.3:a:libexpat_project:libexpat::::::::`
python	python	*	-	-	`cpe:2.3:a:python:python::::::::`
apple	ipados	*	-	-	`cpe:2.3:o:apple:ipados::::::::`
apple	iphone_os	*	-	-	`cpe:2.3:o:apple:iphone_os::::::::`
apple	macos	*	-	-	`cpe:2.3:o:apple:macos::::::::`
apple	tvos	*	-	-	`cpe:2.3:o:apple:tvos::::::::`
apple	watchos	*	-	-	`cpe:2.3:o:apple:watchos::::::::`

解决方案

中文解决方案:

（暂无数据）

英文解决方案:

（暂无数据）

临时解决方案:

（暂无数据）

参考链接

[oss-security] 20130221 CVEs for libxml2 and expat internal and external XML entity expansion mailing-list
cve.org

[oss-security] 20130413 Re-evaluating expat/libxml2 CVE assignments mailing-list
cve.org

90634 vdb-entry
cve.org

1028213 vdb-entry
cve.org

GLSA-201701-21 vendor-advisory
cve.org

58233 vdb-entry
cve.org

无标题 x_refsource_CONFIRM
cve.org

无标题 x_refsource_CONFIRM
cve.org

无标题 x_refsource_CONFIRM
cve.org

无标题 x_refsource_CONFIRM
cve.org

无标题 x_refsource_CONFIRM
cve.org

无标题 x_refsource_CONFIRM
cve.org

20210921 APPLE-SA-2021-09-20-1 iOS 15 and iPadOS 15 mailing-list
cve.org

20210921 APPLE-SA-2021-09-20-2 watchOS 8 mailing-list
cve.org

20210921 APPLE-SA-2021-09-20-8 Additional information for APPLE-SA-2021-09-13-4 Security Update 2021-005 Catalina mailing-list
cve.org

20210921 APPLE-SA-2021-09-20-3 tvOS 15 mailing-list
cve.org

20210921 APPLE-SA-2021-09-20-6 Additional information for APPLE-SA-2021-09-13-1 iOS 14.8 and iPadOS 14.8 mailing-list
cve.org

20210921 APPLE-SA-2021-09-20-7 Additional information for APPLE-SA-2021-09-13-3 macOS Big Sur 11.6 mailing-list
cve.org

[announce] 20211007 CVE-2021-40439: Apache OpenOffice: Billion Laughs mailing-list
cve.org

[openoffice-users] 20211007 CVE-2021-40439: Apache OpenOffice: Billion Laughs mailing-list
cve.org

[oss-security] 20211007 CVE-2021-40439: Apache OpenOffice: Billion Laughs mailing-list
cve.org

20211027 APPLE-SA-2021-10-26-10 Additional information for APPLE-SA-2021-09-20-2 watchOS 8 mailing-list
cve.org

20211027 APPLE-SA-2021-10-26-11 Additional information for APPLE-SA-2021-09-20-3 tvOS 15 mailing-list
cve.org

20211027 APPLE-SA-2021-10-26-9 Additional information for APPLE-SA-2021-09-20-1 iOS 15 and iPadOS 15 mailing-list
cve.org

CVSS评分详情

6.8

MEDIUM

CVSS向量: AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS版本: 2.0

机密性

PARTIAL

完整性

PARTIAL

可用性

PARTIAL

时间信息

发布时间:

2014-01-21 18:00:00

修改时间:

2024-08-06 14:25:10

创建时间:

2025-11-11 15:33:30

更新时间:

2025-11-11 15:50:36

利用信息

暂无可利用代码信息

数据源详情

数据源	记录ID	版本	提取时间
CVE	`cve_CVE-2013-0340`	2025-11-11 15:18:33	2025-11-11 07:33:30
NVD	`nvd_CVE-2013-0340`	2025-11-11 14:54:17	2025-11-11 07:42:18
CNNVD	`cnnvd_CNNVD-201303-096`	2025-11-11 15:09:20	2025-11-11 07:50:36

版本与语言

当前版本: v3

主要语言: EN

支持语言:

EN ZH

安全公告

暂无安全公告信息

变更历史

v3 CNNVD

2025-11-11 15:50:36

vulnerability_type: 未提取 → 代码问题; cnnvd_id: 未提取 → CNNVD-201303-096; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']

查看详细变更

vulnerability_type: 未提取 -> 代码问题
cnnvd_id: 未提取 -> CNNVD-201303-096
data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']

v2 NVD

2025-11-11 15:42:18

cvss_score: 未提取 → 6.8; cvss_vector: NOT_EXTRACTED → AV:N/AC:M/Au:N/C:P/I:P/A:P; cvss_version: NOT_EXTRACTED → 2.0; affected_products_count: 0 → 7; data_sources: ['cve'] → ['cve', 'nvd']

查看详细变更

cvss_score: 未提取 -> 6.8
cvss_vector: NOT_EXTRACTED -> AV:N/AC:M/Au:N/C:P/I:P/A:P
cvss_version: NOT_EXTRACTED -> 2.0
affected_products_count: 0 -> 7
data_sources: ['cve'] -> ['cve', 'nvd']