CVE-2022-23990

Published on: 01/26/2022 12:00:00 AM UTC

Last Modified on: 10/31/2022 05:44:00 PM UTC

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Certain versions of Debian Linux from Debian contain the following vulnerability:

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

  • CVE-2022-23990 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE NONE HIGH

CVSS2 Score: 5 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE NONE PARTIAL

CVE References

Description Tags Link
Oracle Critical Patch Update Advisory - April 2022 www.oracle.com
text/html
URL Logo MISC www.oracle.com/security-alerts/cpuapr2022.html
[R1] Nessus Versions 8.15.3 and 10.1.1 Fix Multiple Third-Party Vulnerabilities - Security Advisory | Tenable® www.tenable.com
text/html
URL Logo CONFIRM www.tenable.com/security/tns-2022-05
[CVE-2022-23990] lib: Prevent integer overflow in function doProlog by hartwork · Pull Request #551 · libexpat/libexpat · GitHub github.com
text/html
URL Logo MISC github.com/libexpat/libexpat/pull/551
Debian -- Security Information -- DSA-5073-1 expat www.debian.org
Depreciated Link
text/html
URL Logo DEBIAN DSA-5073
[SECURITY] Fedora 34 Update: mingw-expat-2.4.4-1.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2022-d2abd0858e
Expat: Multiple Vulnerabilities (GLSA 202209-24) — Gentoo security security.gentoo.org
text/html
URL Logo GENTOO GLSA-202209-24
cert-portal.siemens.com
application/pdf
URL Logo CONFIRM cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
[SECURITY] Fedora 35 Update: mingw-expat-2.4.4-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2022-88f6a3d290

Related QID Numbers

  • 159714 Oracle Enterprise Linux Security Update for expat (ELSA-2022-9227)
  • 159719 Oracle Enterprise Linux Security Update for expat (ELSA-2022-9232)
  • 179044 Debian Security Update for expat (DLA 2904-1)
  • 179068 Debian Security Update for expat (DSA 5073-1)
  • 198671 Ubuntu Security Notification for Expat Vulnerabilities (USN-5288-1)
  • 20253 Oracle Database 12.1.0.2 Critical Patch Update - April 2022
  • 20254 Oracle Database 12.1.0.2 Critical Patch Update - April 2022 (Unauthenticated)
  • 20255 Oracle Database 19c Critical Patch Update - April 2022
  • 20257 Oracle Database 21c Critical Patch Update - April 2022
  • 20258 IBM DB2 Arbitrary Code Execution Vulnerability (6573293)
  • 20285 Oracle Database 19c Critical OJVM Patch Update - April 2022
  • 240794 Red Hat Update for JBoss Core Services (RHSA-2022:7143)
  • 282365 Fedora Security Update for mingw (FEDORA-2022-d2abd0858e)
  • 282366 Fedora Security Update for mingw (FEDORA-2022-88f6a3d290)
  • 296057 Oracle Solaris 11.4 Support Repository Update (SRU) 44.113.4 Missing (bulletinapr2022)
  • 354427 Amazon Linux Security Advisory for expat : ALAS2022-2022-028
  • 354434 Amazon Linux Security Advisory for expat : ALAS2022-2022-232
  • 354570 Amazon Linux Security Advisory for expat : ALAS-2022-232
  • 376713 Tenable Nessus Multiple Third-Party Vulnerabilities (TNS-2022-05)
  • 376943 NetApp Clustered Data Open Network Technology for Appliance Products (ONTAP) Disclosure of Sensitive Information Vulnerability (NTAP-20220204-0006)
  • 377786 Alibaba Cloud Linux Security Update for mingw-expat (ALINUX3-SA-2022:0183)
  • 500178 Alpine Linux Security Update for expat
  • 501401 Alpine Linux Security Update for expat
  • 501739 Alpine Linux Security Update for expat
  • 610429 Google Android Devices September 2022 Security Patch Missing
  • 610431 Google Android September 2022 Security Patch Missing for Samsung
  • 610439 Google Android October 2022 Security Patch Missing for Huawei EMUI
  • 671447 EulerOS Security Update for expat (EulerOS-SA-2022-1425)
  • 671459 EulerOS Security Update for expat (EulerOS-SA-2022-1446)
  • 671565 EulerOS Security Update for expat (EulerOS-SA-2022-1529)
  • 671588 EulerOS Security Update for expat (EulerOS-SA-2022-1562)
  • 671620 EulerOS Security Update for expat (EulerOS-SA-2022-1659)
  • 671642 EulerOS Security Update for expat (EulerOS-SA-2022-1645)
  • 671657 EulerOS Security Update for xulrunner (EulerOS-SA-2022-1774)
  • 671715 EulerOS Security Update for expat (EulerOS-SA-2022-1716)
  • 710626 Gentoo Linux Expat Multiple Vulnerabilities (GLSA 202209-24)
  • 751724 SUSE Enterprise Linux Security Update for expat (SUSE-SU-2022:0495-1)
  • 751730 SUSE Enterprise Linux Security Update for expat (SUSE-SU-2022:0498-1)
  • 751741 OpenSUSE Security Update for expat (openSUSE-SU-2022:0498-1)
  • 753230 SUSE Enterprise Linux Security Update for expat (SUSE-SU-2022:14884-1)
  • 87486 IBM Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (6559296)
  • 87497 IBM HTTP Server Multiple Expat Vulnerabilities
  • 900618 Common Base Linux Mariner (CBL-Mariner) Security Update for expat (8328)
  • 901283 Common Base Linux Mariner (CBL-Mariner) Security Update for expat (8334-1)
  • 940738 AlmaLinux Security Update for mingw-expat (ALSA-2022:7811)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System
DebianDebian Linux10.0AllAllAll
Operating
System
DebianDebian Linux11.0AllAllAll
Operating
System
FedoraprojectFedora34AllAllAll
Operating
System
FedoraprojectFedora35AllAllAll
ApplicationLibexpat ProjectLibexpatAllAllAllAll
ApplicationOracleCommunications Metasolv Solution6.3.1AllAllAll
ApplicationSiemensSinema Remote Connect ServerAllAllAllAll
ApplicationTenableNessusAllAllAllAll
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*:
  • cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:siemens:sinema_remote_connect_server:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:tenable:nessus:*:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2022-23990 : Expat aka libexpat before 2.4.4 has an integer overflow in the doProlog function.... cve.report/CVE-2022-23990 2022-01-26 18:43:30
Twitter Icon @Robo_Alerts Potentially Critical CVE Detected! CVE-2022-23990 Description: Expat (aka libexpat) before 2.4.4 has an integer ove… twitter.com/i/web/status/1… 2022-01-26 18:56:14
Reddit Logo Icon /r/netcve CVE-2022-23990 2022-01-26 19:38:28
Reddit Logo Icon /r/devsecops What to do with vulnerabilities from official upstream images? 2022-02-28 19:44:23
Reddit Logo Icon /r/k12cybersecurity MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution - PATCH: NOW 2022-09-07 12:47:49
© CVE.report 2023 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report