The vendor has confirmed that there are no active attacks against this issue. Users are advised to upgrade to the latest release. CVE-2017-9832 - Double-free in shp_setup() in shp.c of shapelib 1.5.0 and older releases allows an attacker to cause a denial of service or have other unspecified impact via control over shp_setup(). The vendor has confirmed that there are no active attacks against this issue. Users are advised to upgrade to the latest release. CVE-2017-9833 - An issue was discovered with the handling of the XSLT functions in contrib/shxsl/shpsort.c in shapelib 1.5.0 and older releases. This issue may allow an attacker to cause a denial of service or have other unspecified impact via control over shp_setup() in shp.c. The vendor has confirmed that there are no active attacks against this issue. Users are advised to upgrade to the latest release. CVE-2017-9834 - An issue was discovered with the handling of the XSLT functions in contrib/shxsl/shpsort.c in shapelib 1.5.0 and older releases. This issue may allow an attacker to cause a denial of service or have other unspecified impact via control over shp_setup() in shp.c. The vendor has confirmed that there are no active attacks against this issue. Users are
FAQ
Q: Why should I upgrade to 1.5.0?
A: The vendor has confirmed that there are no active attacks against this issue. Users are advised to upgrade to the latest release.
Products and versions affected
This advisory covers the following versions of shapelib:
1.5.0 - 1.5.4
1.6.0 - 1.6.5
1.8.0 - 1.8.3
1.9.0
XXE: XML External Entity Attachment
An XXE vulnerability allows an attacker to exploit an external entity that is not linked to the XML document and in particular, the location of the external entity is not specified.
If the XXE vulnerability occurs while processing a request, this may result in a denial of service or allow the attacker to access information outside of what should be accessible.
Timeline
Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 05:16:00 UTC