CVE-2024-40896

CRITICAL9.1EPSS 0.55%

發布日:2026/5/6修改日:2026/5/8

描述

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

受影響套件(3)

Bitnami/javafrom 0, < 1.8.0, >= 1.9.0, < 8.0.461
Bitnami/java-minfrom 0, < 1.8.0, >= 1.9.0, < 8.0.461
Bitnami/jrefrom 0, < 1.8.0, >= 1.9.0, < 8.0.461

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

參考連結(4)

WEBhttps://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6
WEBhttps://gitlab.gnome.org/GNOME/libxml2/-/issues/761
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2024-40896
WEBhttps://security.netapp.com/advisory/ntap-20250228-0004/