CVE-2022-25235 Expat before 2.4.5 lacks validation of encoding. This can lead to issues with UTF-8 characters.

CVE-2022-25235 Expat before 2.4.5 lacks validation of encoding. This can lead to issues with UTF-8 characters.

This can result in parse error messages like " malformed UTF-8 sequence in net. c: 1:10: Incomplete multibyte sequence (1 0x28 0xFF 0xFF 0xFF 0xFF 0x28 0xFF 0xFF 0xFF 0x28 0xFF 0xFF 0xFF 0x28 0xFF 0xFF 0xFF) in 'net.c: 1:10' . This is caused by invalid UTF-8 sequences being parsed. This is a regression since Expat 2.0. CVE-2014-1814: In certain circumstances, using the XML parser with HTTP/1.1 or 1.0 can result in denial of service or potential code execution. This can happen when using the HTTP/1.1 or 1.0 protocol with XML streams that use the push model, where encoding is done as part of the stream parsing.

CVE-2014-1817: The XML parser in Expat 2.0.0 and 1.0.9 might allow remote attackers to cause a denial of service via a crafted document. This is a RESTful API vulnerability. CVE-2014-1818: There is a remote denial of service vulnerability in Expat, caused by malformed documents. This can be exploited when parsing XML documents over HTTP or other protocols that allow for input in arbitrary formats. This is a RESTful API vulnerability. CVE-2014-1819

What's an XML parser?

An XML parser is a software component used to parse and process Extensible Markup Language pages.

Stream Processing

, a Code Execution Vulnerability
Stream processing is code execution vulnerability that can be exploited when XML documents are parsed over HTTP or other protocols. Stream processing is done by using the xmlstream_process_entity() function and is triggered when a malformed UTF-8 sequence is encountered in the stream. This is an API vulnerability.

Information on the expat RESTful API vulnerability

The Expat RESTful API vulnerability is a remote denial of service vulnerability. This can be exploited when parsing XML documents over HTTP or other protocols that allow for input in arbitrary formats. This is a RESTful API vulnerability.

This can result in parse error messages like " malformed UTF-8 sequence in net.c: 1:10: Incomplete multibyte sequence (1 0x28 0xFF 0xFF 0xFF 0xFF 0x28 0xFF 0xFF 0xFF 0x28 0xFF 0xFF 0xFF

Variable Length Encoding in XML

There is a vulnerability in the XML parser in Expat, which can allow remote attackers to cause a denial of service via a crafted document. This is a RESTful API vulnerability.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe