{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-49043", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-01-27T14:53:01.116Z", "dateReserved": "2025-01-26T00:00:00.000Z", "datePublished": "2025-01-26T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "libxml2", "vendor": "xmlsoft", "versions": [{"lessThan": "2.11.0", "status": "affected", "version": "2.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-01-26T05:28:37.041Z"}, "references": [{"url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b"}, {"url": "https://github.com/php/php-src/issues/17467"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.11.0"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-27T14:52:22.888573Z", "id": "CVE-2022-49043", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-27T14:53:01.116Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "xmlsoft", "product": "libxml2", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.11.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b"}, {"url": "https://github.com/php/php-src/issues/17467"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.11.0", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-01-26T05:28:37.041Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-49043", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-27T14:52:22.888573Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-01-27T14:52:57.061Z"}}]}, "cveMetadata": {"cveId": "CVE-2022-49043", "state": "PUBLISHED", "dateUpdated": "2025-01-26T05:28:37.041Z", "dateReserved": "2025-01-26T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-01-26T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free."}], "id": "CVE-2022-49043", "lastModified": "2025-01-26T06:15:21.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2025-01-26T06:15:21.000", "references": [{"source": "cve@mitre.org", "url": "https://github.com/php/php-src/issues/17467"}, {"source": "cve@mitre.org", "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1487", "cpe": "cpe:/o:redhat:discovery:1.0::el9", "package": "discovery/discovery-server-rhel9:1.12.1-2", "product_name": "Discovery 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1487", "cpe": "cpe:/o:redhat:discovery:1.0::el9", "package": "discovery/discovery-ui-rhel9:1.12.0-2", "product_name": "Discovery 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1517", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "libxml2-0:2.9.7-18.el8_10.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-02-17T00:00:00Z"}, {"advisory": "RHSA-2025:1517", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "libxml2-0:2.9.7-18.el8_10.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-02-17T00:00:00Z"}, {"advisory": "RHSA-2025:2507", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "libxml2-0:2.9.7-16.el8_8.7", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:1350", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libxml2-0:2.9.13-6.el9_5.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-02-12T00:00:00Z"}, {"advisory": "RHSA-2025:1350", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "libxml2-0:2.9.13-6.el9_5.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-02-12T00:00:00Z"}, {"advisory": "RHSA-2025:1516", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "libxml2-0:2.9.13-3.el9_2.4", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-02-17T00:00:00Z"}, {"advisory": "RHSA-2025:2678", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "libxml2-0:2.9.13-9.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-03-12T00:00:00Z"}, {"advisory": "RHSA-2025:3798", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "rhcos-417.94.202504080421-0", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-04-16T00:00:00Z"}, {"advisory": "RHSA-2025:3775", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "rhcos-418.94.202504080525-0", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-04-16T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-config-sync-rhel9:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-controller-podman-container-rhel9:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-controller-podman-rhel9:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-flow-collector-rhel9:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-operator-bundle:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-router-rhel9:2.5.3-7", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-service-controller-rhel9:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-site-controller-rhel9:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}], "bugzilla": {"description": "libxml: use-after-free in xmlXIncludeAddNode", "id": "2342118", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2342118"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.", "A flaw was found in libxml2 where improper handling of memory allocation failures in `libxml2` can lead to crashes, memory leaks, or inconsistent states. While an attacker cannot directly control allocation failures, they may trigger denial-of-service conditions under extreme system stress."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-49043", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "libxml2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "libxml2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Affected", "package_name": "libxml2", "product_name": "Red Hat JBoss Core Services"}], "public_date": "2025-01-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49043\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49043\nhttps://github.com/php/php-src/issues/17467\nhttps://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b"], "statement": "This vulnerability marked as moderate instead of important because memory allocation failures are not typically controllable by an attacker, limiting their exploitability. While improper handling of malloc failures can lead to crashes, memory leaks, or inconsistent states, it does not directly result in privilege escalation or arbitrary code execution. \nAdditionally, in most real-world scenarios, failures due to memory exhaustion occur under extreme system stress rather than as part of an intentional attack vector.", "threat_severity": "Moderate"}