CVE-2022-25235

Summary

CVE	CVE-2022-25235
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-02-16 01:15:00 UTC
Updated	2023-11-07 03:44:00 UTC
Description	xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

Risk And Classification

Problem Types: CWE-116

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Application	Libexpat Project	Libexpat	All	All	All	All
Application	Oracle	Http Server	12.2.1.3.0	All	All	All
Application	Oracle	Http Server	12.2.1.4.0	All	All	All
Application	Oracle	Zfs Storage Appliance Kit	8.8	All	All	All
Application	Siemens	Sinema Remote Connect Server	All	All	All	All

References

Reference	Source	Link	Tags
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
February 2022 Expat Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
[SECURITY] Fedora 35 Update: mingw-expat-2.4.6-1.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] [DLA 2935-1] expat security update	MLIST	lists.debian.org
[SECURITY] Fedora 35 Update: mingw-expat-2.4.6-1.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
oss-security - Expat 2.4.5 released, includes 5 security fixes	MLIST	www.openwall.com	Mailing List, Third Party Advisory
[CVE-2022-25235] lib: Protect against malformed encoding (e.g. malformed UTF-8) by hartwork · Pull Request #562 · libexpat/libexpat · GitHub	MISC	github.com	Patch, Third Party Advisory
[SECURITY] Fedora 34 Update: mingw-expat-2.4.6-1.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Expat: Multiple Vulnerabilities (GLSA 202209-24) — Gentoo security	GENTOO	security.gentoo.org
Debian -- Security Information -- DSA-5085-1 expat	DEBIAN	www.debian.org	Third Party Advisory
cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf	CONFIRM	cert-portal.siemens.com
[SECURITY] Fedora 34 Update: mingw-expat-2.4.6-1.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159696 Oracle Enterprise Linux Security Update for firefox (ELSA-2022-0824)
159697 Oracle Enterprise Linux Security Update for firefox (ELSA-2022-0818)
159705 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-0845)
159706 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-0850)
159712 Oracle Enterprise Linux Security Update for expat (ELSA-2022-0951)
159733 Oracle Enterprise Linux Security Update for expat (ELSA-2022-1069)
159776 Oracle Enterprise Linux Security Update for xmlrpc-c (ELSA-2022-1643)
159782 Oracle Enterprise Linux Security Update for expat (ELSA-2022-9359)
179091 Debian Security Update for expat (DSA 5085-1)
179107 Debian Security Update for expat (DLA 2935-1)
184672 Debian Security Update for expat (CVE-2022-25235)
198671 Ubuntu Security Notification for Expat Vulnerabilities (USN-5288-1)
20259 IBM DB2 Multiple Vulnerabilities (6597637)
240124 Red Hat Update for firefox (RHSA-2022:0817)
240132 Red Hat Update for firefox (RHSA-2022:0824)
240133 Red Hat Update for firefox (RHSA-2022:0818)
240136 Red Hat Update for firefox (RHSA-2022:0816)
240141 Red Hat Update for thunderbird (RHSA-2022:0853)
240142 Red Hat Update for thunderbird (RHSA-2022:0845)
240143 Red Hat Update for thunderbird (RHSA-2022:0843)
240145 Red Hat Update for thunderbird (RHSA-2022:0850)
240155 Red Hat Update for expat (RHSA-2022:0951)
240166 Red Hat Update for expat (RHSA-2022:1012)
240186 Red Hat Update for expat (RHSA-2022:1069)
240187 Red Hat Update for expat (RHSA-2022:1070)
240245 Red Hat Update for xmlrpc-c (RHSA-2022:1540)
240247 Red Hat Update for xmlrpc-c (RHSA-2022:1644)
240251 Red Hat Update for xmlrpc-c (RHSA-2022:1643)
240433 Red Hat Update for thunderbird (RHSA-2022:0847)
240436 Red Hat Update for expat (RHSA-2022:1068)
240794 Red Hat Update for JBoss Core Services (RHSA-2022:7143)
257160 CentOS Security Update for expat (CESA-2022:1069)
257161 CentOS Security Update for firefox (CESA-2022:0824)
257164 CentOS Security Update for thunderbird (CESA-2022:0850)
282449 Fedora Security Update for mingw (FEDORA-2022-3d9d67f558)
282450 Fedora Security Update for mingw (FEDORA-2022-04f206996b)
296057 Oracle Solaris 11.4 Support Repository Update (SRU) 44.113.4 Missing (bulletinapr2022)
330124 IBM AIX Multiple Vulnerabilities in Python (python_advisory)
353198 Amazon Linux Security Advisory for expat : ALAS-2022-1573
353200 Amazon Linux Security Advisory for expat : ALAS2-2022-1764
353262 Amazon Linux Security Advisory for thunderbird : ALAS2-2022-1779
353937 Amazon Linux Security Advisory for xmlrpc-c : ALAS-2022-1585
353940 Amazon Linux Security Advisory for xmlrpc-c : ALAS2-2022-1795
354299 Amazon Linux Security Advisory for xmlrpc-c : ALAS2022-2022-080
354434 Amazon Linux Security Advisory for expat : ALAS2022-2022-232
354490 Amazon Linux Security Advisory for expat : ALAS2022-2022-036
354570 Amazon Linux Security Advisory for expat : ALAS-2022-232
354627 Amazon Linux Security Advisory for expat : AL2012-2022-359
354629 Amazon Linux Security Advisory for xmlrpc-c : AL2012-2022-361
355200 Amazon Linux Security Advisory for xmlrpc-c : ALAS2023-2023-068
355281 Amazon Linux Security Advisory for expat : ALAS2023-2023-058
376583 F5 BIG-IP Application Security Manager (ASM), Local Traffic Manager (LTM), Access Policy Manager (APM) Expat Vulnerability (K19473898)
376986 Alibaba Cloud Linux Security Update for xmlrpc-c (ALINUX3-SA-2022:0035)
377041 Alibaba Cloud Linux Security Update for expat (ALINUX2-SA-2022:0017)
377097 Alibaba Cloud Linux Security Update for expat (ALINUX3-SA-2022:0021)
377786 Alibaba Cloud Linux Security Update for mingw-expat (ALINUX3-SA-2022:0183)
38862 NetApp Data Open Network Technology for Appliance Products (ONTAP) Denial of Service (DoS) Vulnerability (NTAP-20210303-0002)
390283 Oracle Managed Virtualization (VM) Server for x86 Security Update for expat (OVMSA-2023-0009)
44025 Juniper Network Operating System (Junos OS) Multiple Vulnerabilities (JSA70605)
500179 Alpine Linux Security Update for expat
501402 Alpine Linux Security Update for expat
501740 Alpine Linux Security Update for expat
503916 Alpine Linux Security Update for expat
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
6140106 AWS Bottlerocket Security Update for libexpat (GHSA-m5gv-vh63-f8qf)
671565 EulerOS Security Update for expat (EulerOS-SA-2022-1529)
671588 EulerOS Security Update for expat (EulerOS-SA-2022-1562)
671715 EulerOS Security Update for expat (EulerOS-SA-2022-1716)
671757 EulerOS Security Update for expat (EulerOS-SA-2022-1786)
671760 EulerOS Security Update for expat (EulerOS-SA-2022-1803)
671787 EulerOS Security Update for expat (EulerOS-SA-2022-1861)
671796 EulerOS Security Update for expat (EulerOS-SA-2022-1837)
710626 Gentoo Linux Expat Multiple Vulnerabilities (GLSA 202209-24)
751782 SUSE Enterprise Linux Security Update for expat (SUSE-SU-2022:0698-1)
751795 SUSE Enterprise Linux Security Update for expat (SUSE-SU-2022:0713-1)
751810 OpenSUSE Security Update for expat (openSUSE-SU-2022:0713-1)
752302 SUSE Enterprise Linux Security Update for expat (SUSE-SU-2022:2294-1)
753324 SUSE Enterprise Linux Security Update for expat (SUSE-SU-2022:14903-1)
87487 IBM Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (6560814)
900675 Common Base Linux Mariner (CBL-Mariner) Security Update for expat (8601)
901797 Common Base Linux Mariner (CBL-Mariner) Security Update for expat (8603-1)
904940 Common Base Linux Mariner (CBL-Mariner) Security Update for python2 (12411)
904944 Common Base Linux Mariner (CBL-Mariner) Security Update for cmake (12306)
904962 Common Base Linux Mariner (CBL-Mariner) Security Update for mozjs60 (12372)
905012 Common Base Linux Mariner (CBL-Mariner) Security Update for cmake (12479)
940460 AlmaLinux Security Update for firefox (ALSA-2022:0818)
940465 AlmaLinux Security Update for thunderbird (ALSA-2022:0845)
940473 AlmaLinux Security Update for expat (ALSA-2022:0951)
940490 AlmaLinux Security Update for xmlrpc-c (ALSA-2022:1643)
940738 AlmaLinux Security Update for mingw-expat (ALSA-2022:7811)
960566 Rocky Linux Security Update for xmlrpc-c (RLSA-2022:1643)
960832 Rocky Linux Security Update for thunderbird (RLSA-2022:0845)
960834 Rocky Linux Security Update for firefox (RLSA-2022:0818)
960848 Rocky Linux Security Update for expat (RLSA-2022:0951)