CVE-2013-0340 (Medium) detected in src-71.0.3578.134

[mend-bolt-for-github]

CVE-2013-0340 - Medium Severity Vulnerability

Vulnerable Library - src71.0.3578.134

Library home page: https://chromium.googlesource.com/chromium/src

Found in HEAD commit: f686a0f9119ce1b31715bd19e5a2f4705af80098

Library Source Files (23)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/xpathInternals.h
• /infinite/node_modules/sharp/vendor/include/webp/mux_types.h
• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/dict.h
• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/HTMLparser.h
• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/xmlreader.h
• /infinite/node_modules/sharp/vendor/include/expat.h
• /infinite/node_modules/sharp/vendor/include/libpng16/png.h
• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/parserInternals.h
• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/hash.h
• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/xmlstring.h
• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/nanoftp.h
• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/encoding.h
• /infinite/node_modules/sharp/vendor/include/libpng16/pngconf.h
• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/parser.h
• /infinite/node_modules/sharp/vendor/include/webp/decode.h
• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/schemasInternals.h
• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/xmlerror.h
• /infinite/node_modules/sharp/vendor/include/webp/demux.h
• /infinite/node_modules/sharp/vendor/include/webp/mux.h
• /infinite/node_modules/sharp/vendor/include/webp/encode.h
• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/list.h
• /infinite/node_modules/sharp/vendor/include/webp/types.h
• /infinite/node_modules/sharp/vendor/include/libxml2/libxml/threads.h

Vulnerability Details

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

Publish Date: 2014-01-21

URL: CVE-2013-0340

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/201701-21

Release Date: 2017-01-11

Fix Resolution: All Expat users should upgrade to the latest version >= expat-2.2.0-r1

---

Step up your Open Source Security Game with WhiteSource here