CVE-2022-2309

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-2309
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-07-05 10:15:00 UTC
Updated2023-11-07 03:46:00 UTC
DescriptionNULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Risk And Classification

Problem Types: CWE-476

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Fedoraproject Fedora 36 All All All
Operating System Fedoraproject Fedora 37 All All All
Application Lxml Lxml All All All All
Application Xmlsoft Libxml2 All All All All

References

ReferenceSourceLinkTags
[SECURITY] Fedora 36 Update: python-lxml-4.7.1-3.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
lxml: Multiple Vulnerabilities (GLSA 202208-06) — Gentoo security GENTOO security.gentoo.org
[SECURITY] Fedora 36 Update: python-lxml-4.7.1-3.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
Fix a crash when incorrect parser input occurs together with usages o… · lxml/lxml@86368e9 · GitHub MISC github.com
[SECURITY] Fedora 37 Update: python-lxml-4.9.1-1.fc37 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
CVE-2022-2309 lxml Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
[SECURITY] Fedora 37 Update: python-lxml-4.9.1-1.fc37 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
huntr – Security Bounties for any GitHub repository CONFIRM huntr.dev
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 160286 Oracle Enterprise Linux Security Update for python-lxml (ELSA-2022-8226)
  • 183150 Debian Security Update for lxml (CVE-2022-2309)
  • 199063 Ubuntu Security Notification for libxml2 Vulnerabilities (USN-5760-1)
  • 199399 Ubuntu Security Notification for libxml2 Vulnerabilities (USN-6028-2)
  • 240874 Red Hat Update for python-lxml (RHSA-2022:8226)
  • 283127 Fedora Security Update for python (FEDORA-2022-ed0eeb6a20)
  • 354712 Amazon Linux Security Advisory for python-lxml : ALAS2022-2023-264
  • 355116 Amazon Linux Security Advisory for python-lxml : ALAS2023-2023-034
  • 378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
  • 502526 Alpine Linux Security Update for libxml2
  • 502740 Alpine Linux Security Update for libxml2
  • 502786 Alpine Linux Security Update for py3-lxml
  • 672101 EulerOS Security Update for python-lxml (EulerOS-SA-2022-2303)
  • 672122 EulerOS Security Update for python-lxml (EulerOS-SA-2022-2332)
  • 672140 EulerOS Security Update for python-lxml (EulerOS-SA-2022-2447)
  • 672202 EulerOS Security Update for python-lxml (EulerOS-SA-2022-2478)
  • 672255 EulerOS Security Update for python-lxml (EulerOS-SA-2022-2663)
  • 672306 EulerOS Security Update for python-lxml (EulerOS-SA-2022-2695)
  • 710581 Gentoo Linux lxml Multiple Vulnerabilities (GLSA 202208-06)
  • 752517 SUSE Enterprise Linux Security Update for python-lxml (SUSE-SU-2022:2908-1)
  • 753470 SUSE Enterprise Linux Security Update for python-lxml (SUSE-SU-2022:2878-1)
  • 902440 Common Base Linux Mariner (CBL-Mariner) Security Update for python-lxml (10049)
  • 902441 Common Base Linux Mariner (CBL-Mariner) Security Update for libxml2 (10048)
  • 902444 Common Base Linux Mariner (CBL-Mariner) Security Update for libxml2 (10058)
  • 902447 Common Base Linux Mariner (CBL-Mariner) Security Update for python-lxml (10059)
  • 903932 Common Base Linux Mariner (CBL-Mariner) Security Update for python-lxml (10059-1)
  • 903965 Common Base Linux Mariner (CBL-Mariner) Security Update for libxml2 (10058-1)
  • 903982 Common Base Linux Mariner (CBL-Mariner) Security Update for python-lxml (10049-1)
  • 903993 Common Base Linux Mariner (CBL-Mariner) Security Update for libxml2 (10048-1)
  • 940799 AlmaLinux Security Update for python-lxml (ALSA-2022:8226)
  • 960561 Rocky Linux Security Update for python-lxml (RLSA-2022:8226)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report