CVE-2018-20843
Summary
| CVE | CVE-2018-20843 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-06-24 17:15:00 UTC |
| Updated | 2023-11-07 02:56:00 UTC |
| Description | In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). |
Risk And Classification
Problem Types: CWE-611
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.10 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 19.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.10 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 19.04 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 29 | All | All | All |
| Operating System | Fedoraproject | Fedora | 30 | All | All | All |
| Operating System | Fedoraproject | Fedora | 29 | All | All | All |
| Operating System | Fedoraproject | Fedora | 30 | All | All | All |
| Application | Libexpat Project | Libexpat | All | All | All | All |
| Application | Libexpat Project | Libexpat | All | All | All | All |
| Operating System | Opensuse | Leap | 15.0 | All | All | All |
| Operating System | Opensuse | Leap | 15.1 | All | All | All |
| Operating System | Opensuse | Leap | 15.0 | All | All | All |
| Operating System | Opensuse | Leap | 15.1 | All | All | All |
| Application | Oracle | Hospitality Res 3700 | All | All | All | All |
| Application | Oracle | Http Server | 12.1.3.0 | All | All | All |
| Application | Oracle | Http Server | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Outside In Technology | 8.5.4 | All | All | All |
| Application | Oracle | Outside In Technology | 8.5.5 | All | All | All |
| Application | Oracle | Outside In Technology | 8.5.4 | All | All | All |
| Application | Oracle | Outside In Technology | 8.5.5 | All | All | All |
| Application | Tenable | Nessus | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| libexpat/Changes at R_2_2_7 · libexpat/libexpat · GitHub | MISC | github.com | Release Notes, Third Party Advisory |
| Bugtraq: [SECURITY] [DSA 4472-1] expat security update | BUGTRAQ | seclists.org | Mailing List, Third Party Advisory |
| xmlparse.c: Fix extraction of namespace prefix from XML name (#186) by hartwork · Pull Request #262 · libexpat/libexpat · GitHub | MISC | github.com | Exploit, Patch, Third Party Advisory |
| [SECURITY] Fedora 30 Update: expat-2.2.7-1.fc30 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [CVE-2018-20843] 88k xml file uses >2G memory · Issue #186 · libexpat/libexpat · GitHub | MISC | github.com | Issue Tracking, Patch, Third Party Advisory |
| [R1] Nessus 8.15.0 Fixes Multiple Vulnerabilities - Security Advisory | Tenable® | CONFIRM | www.tenable.com | |
| xmlparse.c: Fix extraction of namespace prefix from XML name (#186) by hartwork · Pull Request #262 · libexpat/libexpat · GitHub | MISC | github.com | Patch, Third Party Advisory |
| Oracle Critical Patch Update Advisory - October 2020 | MISC | www.oracle.com | Third Party Advisory |
| [security-announce] openSUSE-SU-2019:1777-1: moderate: Security update f | SUSE | lists.opensuse.org | Mailing List, Third Party Advisory |
| CVE-2018-20843 Expat Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | Third Party Advisory |
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| Debian -- Security Information -- DSA-4472-1 expat | DEBIAN | www.debian.org | Third Party Advisory |
| Expat: Multiple vulnerabilities (GLSA 201911-08) — Gentoo security | GENTOO | security.gentoo.org | Third Party Advisory |
| USN-4040-1: Expat vulnerability | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | Third Party Advisory |
| [SECURITY] Fedora 30 Update: expat-2.2.7-1.fc30 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| 5226 - oss-fuzz - OSS-Fuzz: Fuzzing the planet - Monorail | MISC | bugs.chromium.org | Issue Tracking, Third Party Advisory |
| support.f5.com/csp/article/K51011533 | CONFIRM | support.f5.com | Third Party Advisory |
| USN-4040-2: Expat vulnerability | Ubuntu security notices | UBUNTU | usn.ubuntu.com | Third Party Advisory |
| [SECURITY] Fedora 29 Update: expat-2.2.7-1.fc29 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 29 Update: expat-2.2.7-1.fc29 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| Oracle Critical Patch Update Advisory - April 2020 | N/A | www.oracle.com | Third Party Advisory |
| [SECURITY] [DLA 1839-1] expat security update | MLIST | lists.debian.org | Mailing List, Third Party Advisory |
| Oracle Critical Patch Update Advisory - April 2021 | MISC | www.oracle.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 375654 Tenable Nessus Multiple Vulnerabilities (TNS-2021-11)
- 375688 F5 BIG-IP ASM,LTM,APM BIG-IP XML Parser Vulnerability (K51011533)
- 375965 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (CPUOCT2021)
- 376862 IBM Hypertext Transfer Protocol (HTTP) Server Multiple Vulnerabilities (964768)
- 377390 Alibaba Cloud Linux Security Update for expat (ALINUX3-SA-2022:0042)
- 377519 Alibaba Cloud Linux Security Update for expat (ALINUX2-SA-2020:0139)
- 500180 Alpine Linux Security Update for expat
- 503912 Alpine Linux Security Update for expat
- 591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
- 710115 Gentoo Linux Expat Multiple vulnerabilities (GLSA 201911-08)
- 730076 IBM MQ Appliance Denial of Service Vulnerability (6403285)
- 770068 Red Hat OpenShift Container Platform 4.6 Security Update (RHSA-2021:0436)
- 900122 CBL-Mariner Linux Security Update for expat 2.2.6
- 902970 Common Base Linux Mariner (CBL-Mariner) Security Update for expat (1830)
- 940069 AlmaLinux Security Update for expat (ALSA-2020:4484)
- 940279 AlmaLinux Security Update for mingw-expat (ALSA-2020:4846)
- 960369 Rocky Linux Security Update for mingw-expat (RLSA-2020:4846)
- 960835 Rocky Linux Security Update for expat (RLSA-2020:4484)