{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-08-05T00:00:00", "descriptions": [{"lang": "en", "value": "Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in \"simply nested DTD structures,\" as demonstrated by the Codenomicon XML fuzzing framework."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-16T14:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "35986", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/35986"}, {"tags": ["x_refsource_MISC"], "url": "http://www.networkworld.com/columnists/2009/080509-xml-flaw.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.cert.fi/en/reports/2009/vulnerability2009085.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.codenomicon.com/labs/xml/"}, {"name": "FEDORA-2009-8345", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01136.html"}, {"name": "36201", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/36201"}, {"name": "ADV-2009-2196", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/2196"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/validators/DTD/DTDScanner.cpp?r1=781488&r2=781487&pathrev=781488&view=patch"}, {"name": "FEDORA-2009-8305", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01001.html"}, {"name": "MDVSA-2009:223", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:223"}, {"name": "xerces-c-dtd-dos(52321)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52321"}, {"name": "FEDORA-2009-8350", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01099.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://svn.apache.org/viewvc?view=rev&revision=781488"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=515515"}, {"name": "FEDORA-2009-8332", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01150.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T05:27:54.875Z"}, "title": "CVE Program Container", "references": [{"name": "35986", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/35986"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.networkworld.com/columnists/2009/080509-xml-flaw.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.cert.fi/en/reports/2009/vulnerability2009085.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.codenomicon.com/labs/xml/"}, {"name": "FEDORA-2009-8345", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01136.html"}, {"name": "36201", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/36201"}, {"name": "ADV-2009-2196", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2009/2196"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/validators/DTD/DTDScanner.cpp?r1=781488&r2=781487&pathrev=781488&view=patch"}, {"name": "FEDORA-2009-8305", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01001.html"}, {"name": "MDVSA-2009:223", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:223"}, {"name": "xerces-c-dtd-dos(52321)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52321"}, {"name": "FEDORA-2009-8350", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01099.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://svn.apache.org/viewvc?view=rev&revision=781488"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=515515"}, {"name": "FEDORA-2009-8332", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01150.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2009-1885", "datePublished": "2009-08-11T18:00:00", "dateReserved": "2009-06-02T00:00:00", "dateUpdated": "2024-08-07T05:27:54.875Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:xerces-c\\+\\+:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "00E71C8D-D4DF-4F54-8CF8-D2AA67AC5690", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:xerces-c\\+\\+:2.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "1C868E93-96F3-4199-83C8-B5055629911A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in \"simply nested DTD structures,\" as demonstrated by the Codenomicon XML fuzzing framework."}, {"lang": "es", "value": "Vulnerabilidad de agotamiento de pila en validators/DTD/DTDScanner.cpp en Apache Xerces C++ v2.7.0 y v2.8.0 permite a atacantes dependientes de contexto producir una denegaci\u00f3n de servicio (ca\u00edda de aplicaci\u00f3n) a trav\u00e9s de vectores que incluyen el uso de par\u00e9ntesis anidados y unos valores de byte no validos en \"estructuras simples anidadas DTD\", como se demostro en Codenomicon XML fuzzing framework."}], "id": "CVE-2009-1885", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2009-08-11T18:30:00.877", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/36201"}, {"source": "secalert@redhat.com", "url": "http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/validators/DTD/DTDScanner.cpp?r1=781488&r2=781487&pathrev=781488&view=patch"}, {"source": "secalert@redhat.com", "tags": ["Exploit"], "url": "http://svn.apache.org/viewvc?view=rev&revision=781488"}, {"source": "secalert@redhat.com", "url": "http://www.cert.fi/en/reports/2009/vulnerability2009085.html"}, {"source": "secalert@redhat.com", "url": "http://www.codenomicon.com/labs/xml/"}, {"source": "secalert@redhat.com", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:223"}, {"source": "secalert@redhat.com", "url": "http://www.networkworld.com/columnists/2009/080509-xml-flaw.html"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/35986"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2009/2196"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=515515"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52321"}, {"source": "secalert@redhat.com", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01001.html"}, {"source": "secalert@redhat.com", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01099.html"}, {"source": "secalert@redhat.com", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01136.html"}, {"source": "secalert@redhat.com", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01150.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/36201"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/validators/DTD/DTDScanner.cpp?r1=781488&r2=781487&pathrev=781488&view=patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://svn.apache.org/viewvc?view=rev&revision=781488"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.cert.fi/en/reports/2009/vulnerability2009085.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.codenomicon.com/labs/xml/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:223"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.networkworld.com/columnists/2009/080509-xml-flaw.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/35986"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2009/2196"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=515515"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52321"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01099.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01136.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01150.html"}], "sourceIdentifier": "secalert@redhat.com", "vendorComments": [{"comment": "Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-1885\n\nThe Red Hat Security Response Team has rated this issue as having low security impact, a future xerces-c packages update in Red Hat Enterprise MRG 1.1 may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/", "lastModified": "2009-08-12T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "xerces-c27: Stack overflow when parsing recursive XML structures", "id": "515515", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=515515"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "draft"}, "cwe": "CWE-674", "details": ["Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in \"simply nested DTD structures,\" as demonstrated by the Codenomicon XML fuzzing framework."], "name": "CVE-2009-1885", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_mrg:1", "fix_state": "Will not fix", "package_name": "xerces-c", "product_name": "Red Hat Enterprise MRG 1"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:2", "fix_state": "Will not fix", "package_name": "xerces-c", "product_name": "Red Hat Enterprise MRG 2"}], "public_date": "2009-08-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2009-1885\nhttps://nvd.nist.gov/vuln/detail/CVE-2009-1885"], "statement": "Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Low"}