Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2023-52426

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Published: Feb 04, 2024 | Modified: Nov 21, 2024
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
5.5 MODERATE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2023-52426
CWEhttps://cwe.mitre.org/data/definitions/776.html

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

Weakness

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Affected Software

Name Vendor Start Version End Version
Libexpat Libexpat_project * 2.5.0 (including)
Apache2 Ubuntu trusty *
Apr-util Ubuntu trusty *
Ayttm Ubuntu trusty *
Ayttm Ubuntu xenial *
Cableswig Ubuntu trusty *
Cableswig Ubuntu xenial *
Cadaver Ubuntu bionic *
Cadaver Ubuntu mantic *
Cadaver Ubuntu trusty *
Cadaver Ubuntu xenial *
Cmake Ubuntu trusty *
Coin3 Ubuntu bionic *
Coin3 Ubuntu trusty *
Coin3 Ubuntu trusty/esm *
Coin3 Ubuntu xenial *
Expat Ubuntu bionic *
Expat Ubuntu devel *
Expat Ubuntu noble *
Expat Ubuntu oracular *
Expat Ubuntu trusty *
Expat Ubuntu upstream *
Expat Ubuntu xenial *
Firefox Ubuntu bionic *
Firefox Ubuntu trusty *
Firefox Ubuntu xenial *
Gdcm Ubuntu trusty *
Ghostscript Ubuntu trusty *
Insighttoolkit4 Ubuntu bionic *
Insighttoolkit4 Ubuntu trusty *
Insighttoolkit4 Ubuntu xenial *
Libxmltok Ubuntu bionic *
Libxmltok Ubuntu trusty *
Libxmltok Ubuntu xenial *
Matanza Ubuntu bionic *
Matanza Ubuntu devel *
Matanza Ubuntu esm-apps/bionic *
Matanza Ubuntu esm-apps/focal *
Matanza Ubuntu esm-apps/jammy *
Matanza Ubuntu esm-apps/noble *
Matanza Ubuntu esm-apps/xenial *
Matanza Ubuntu focal *
Matanza Ubuntu jammy *
Matanza Ubuntu mantic *
Matanza Ubuntu noble *
Matanza Ubuntu oracular *
Matanza Ubuntu trusty *
Matanza Ubuntu xenial *
Smart Ubuntu trusty *
Swish-e Ubuntu bionic *
Swish-e Ubuntu mantic *
Swish-e Ubuntu trusty *
Swish-e Ubuntu xenial *
Tdom Ubuntu bionic *
Tdom Ubuntu mantic *
Tdom Ubuntu trusty *
Tdom Ubuntu xenial *
Texlive-bin Ubuntu trusty *
Thunderbird Ubuntu bionic *
Thunderbird Ubuntu mantic *
Thunderbird Ubuntu trusty *
Thunderbird Ubuntu xenial *
Vnc4 Ubuntu bionic *
Vnc4 Ubuntu trusty *
Vnc4 Ubuntu xenial *
Vtk Ubuntu trusty *
Vtk Ubuntu trusty/esm *
Vtk Ubuntu xenial *
Wbxml2 Ubuntu bionic *
Wbxml2 Ubuntu trusty *
Wbxml2 Ubuntu xenial *
Xmlrpc-c Ubuntu bionic *
Xmlrpc-c Ubuntu trusty *
Xmlrpc-c Ubuntu xenial *

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use