CVE Vulnerabilities

CVE-2022-25235

Improper Encoding or Escaping of Output

Published: Feb 16, 2022 | Modified: Nov 07, 2023
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
9.8 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu
HIGH

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

Weakness

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Affected Software

Name Vendor Start Version End Version
Libexpat Libexpat_project * 2.4.5 (excluding)
Red Hat Enterprise Linux 6 Extended Lifecycle Support RedHat expat-0:2.0.1-14.el6_10 *
Red Hat Enterprise Linux 7 RedHat firefox-0:91.7.0-3.el7_9 *
Red Hat Enterprise Linux 7 RedHat thunderbird-0:91.7.0-2.el7_9 *
Red Hat Enterprise Linux 7 RedHat expat-0:2.1.0-14.el7_9 *
Red Hat Enterprise Linux 8 RedHat firefox-0:91.7.0-3.el8_5 *
Red Hat Enterprise Linux 8 RedHat thunderbird-0:91.7.0-2.el8_5 *
Red Hat Enterprise Linux 8 RedHat mingw-expat-0:2.4.8-1.el8 *
Red Hat Enterprise Linux 8 RedHat expat-0:2.2.5-4.el8_5.3 *
Red Hat Enterprise Linux 8 RedHat xmlrpc-c-0:1.51.0-5.el8_5.1 *
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions RedHat firefox-0:91.7.0-3.el8_1 *
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions RedHat thunderbird-0:91.7.0-2.el8_1 *
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions RedHat expat-0:2.2.5-3.el8_1.1 *
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions RedHat xmlrpc-c-0:1.51.0-5.el8_1.1 *
Red Hat Enterprise Linux 8.2 Extended Update Support RedHat firefox-0:91.7.0-3.el8_2 *
Red Hat Enterprise Linux 8.2 Extended Update Support RedHat thunderbird-0:91.7.0-2.el8_2 *
Red Hat Enterprise Linux 8.2 Extended Update Support RedHat expat-0:2.2.5-3.el8_2.2 *
Red Hat Enterprise Linux 8.2 Extended Update Support RedHat xmlrpc-c-0:1.51.0-5.el8_2.1 *
Red Hat Enterprise Linux 8.4 Extended Update Support RedHat firefox-0:91.7.0-3.el8_4 *
Red Hat Enterprise Linux 8.4 Extended Update Support RedHat thunderbird-0:91.7.0-2.el8_4 *
Red Hat Enterprise Linux 8.4 Extended Update Support RedHat expat-0:2.2.5-4.el8_4.2 *
Red Hat Enterprise Linux 8.4 Extended Update Support RedHat xmlrpc-c-0:1.51.0-5.el8_4.1 *
Red Hat JBoss Core Services 1 RedHat expat *
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 RedHat redhat-virtualization-host-0:4.3.22-20220330.1.el7_9 *
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 RedHat redhat-virtualization-host-0:4.4.10-202203211649_8.5 *
Apache2 Ubuntu trusty *
Apr-util Ubuntu trusty *
Ayttm Ubuntu trusty *
Ayttm Ubuntu xenial *
Cableswig Ubuntu trusty *
Cableswig Ubuntu xenial *
Cadaver Ubuntu bionic *
Cadaver Ubuntu impish *
Cadaver Ubuntu kinetic *
Cadaver Ubuntu lunar *
Cadaver Ubuntu trusty *
Cadaver Ubuntu xenial *
Cmake Ubuntu trusty *
Coin3 Ubuntu bionic *
Coin3 Ubuntu trusty *
Coin3 Ubuntu xenial *
Expat Ubuntu bionic *
Expat Ubuntu devel *
Expat Ubuntu esm-infra/bionic *
Expat Ubuntu esm-infra/xenial *
Expat Ubuntu focal *
Expat Ubuntu impish *
Expat Ubuntu jammy *
Expat Ubuntu kinetic *
Expat Ubuntu lunar *
Expat Ubuntu mantic *
Expat Ubuntu noble *
Expat Ubuntu trusty *
Expat Ubuntu trusty/esm *
Expat Ubuntu upstream *
Expat Ubuntu xenial *
Firefox Ubuntu bionic *
Firefox Ubuntu devel *
Firefox Ubuntu focal *
Firefox Ubuntu impish *
Firefox Ubuntu jammy *
Firefox Ubuntu kinetic *
Firefox Ubuntu lunar *
Firefox Ubuntu mantic *
Firefox Ubuntu noble *
Firefox Ubuntu trusty *
Firefox Ubuntu xenial *
Gdcm Ubuntu trusty *
Ghostscript Ubuntu trusty *
Insighttoolkit Ubuntu trusty *
Insighttoolkit Ubuntu xenial *
Insighttoolkit4 Ubuntu impish *
Insighttoolkit4 Ubuntu trusty *
Insighttoolkit4 Ubuntu xenial *
Libxmltok Ubuntu bionic *
Libxmltok Ubuntu devel *
Libxmltok Ubuntu esm-apps/bionic *
Libxmltok Ubuntu esm-apps/focal *
Libxmltok Ubuntu esm-apps/jammy *
Libxmltok Ubuntu esm-apps/noble *
Libxmltok Ubuntu esm-apps/xenial *
Libxmltok Ubuntu focal *
Libxmltok Ubuntu hirsute *
Libxmltok Ubuntu impish *
Libxmltok Ubuntu jammy *
Libxmltok Ubuntu kinetic *
Libxmltok Ubuntu lunar *
Libxmltok Ubuntu mantic *
Libxmltok Ubuntu noble *
Libxmltok Ubuntu trusty *
Libxmltok Ubuntu xenial *
Matanza Ubuntu bionic *
Matanza Ubuntu impish *
Matanza Ubuntu kinetic *
Matanza Ubuntu lunar *
Matanza Ubuntu trusty *
Matanza Ubuntu xenial *
Smart Ubuntu trusty *
Swish-e Ubuntu bionic *
Swish-e Ubuntu impish *
Swish-e Ubuntu kinetic *
Swish-e Ubuntu lunar *
Swish-e Ubuntu trusty *
Swish-e Ubuntu xenial *
Tdom Ubuntu bionic *
Tdom Ubuntu impish *
Tdom Ubuntu kinetic *
Tdom Ubuntu lunar *
Tdom Ubuntu trusty *
Tdom Ubuntu xenial *
Texlive-bin Ubuntu trusty *
Thunderbird Ubuntu bionic *
Thunderbird Ubuntu devel *
Thunderbird Ubuntu focal *
Thunderbird Ubuntu impish *
Thunderbird Ubuntu jammy *
Thunderbird Ubuntu kinetic *
Thunderbird Ubuntu lunar *
Thunderbird Ubuntu mantic *
Thunderbird Ubuntu noble *
Thunderbird Ubuntu trusty *
Thunderbird Ubuntu xenial *
Vnc4 Ubuntu bionic *
Vnc4 Ubuntu trusty *
Vnc4 Ubuntu xenial *
Vtk Ubuntu trusty *
Vtk Ubuntu xenial *
Wbxml2 Ubuntu bionic *
Wbxml2 Ubuntu impish *
Wbxml2 Ubuntu kinetic *
Wbxml2 Ubuntu lunar *
Wbxml2 Ubuntu trusty *
Wbxml2 Ubuntu xenial *
Xmlrpc-c Ubuntu bionic *
Xmlrpc-c Ubuntu devel *
Xmlrpc-c Ubuntu esm-apps/bionic *
Xmlrpc-c Ubuntu esm-apps/focal *
Xmlrpc-c Ubuntu esm-apps/jammy *
Xmlrpc-c Ubuntu esm-apps/noble *
Xmlrpc-c Ubuntu esm-apps/xenial *
Xmlrpc-c Ubuntu focal *
Xmlrpc-c Ubuntu impish *
Xmlrpc-c Ubuntu jammy *
Xmlrpc-c Ubuntu kinetic *
Xmlrpc-c Ubuntu lunar *
Xmlrpc-c Ubuntu mantic *
Xmlrpc-c Ubuntu noble *
Xmlrpc-c Ubuntu trusty *
Xmlrpc-c Ubuntu trusty/esm *
Xmlrpc-c Ubuntu xenial *

Extended Description

Improper encoding or escaping can allow attackers to change the commands that are sent to another component, inserting malicious commands instead. Most products follow a certain protocol that uses structured messages for communication between components, such as queries or commands. These structured messages can contain raw data interspersed with metadata or control information. For example, “GET /index.html HTTP/1.1” is a structured message containing a command (“GET”) with a single argument ("/index.html") and metadata about which protocol version is being used (“HTTP/1.1”). If an application uses attacker-supplied inputs to construct a structured message without properly encoding or escaping, then the attacker could insert special characters that will cause the data to be interpreted as control information or metadata. Consequently, the component that receives the output will perform the wrong operations, or otherwise interpret the data incorrectly.

Potential Mitigations

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
  • Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
  • If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
  • For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.

References