Overview
Affected versions of this package are vulnerable to ALAS2-2020-1513. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-15903: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. 1752592: CVE-2019-15903 expat: heap-based buffer over-read via crafted XML input CVE-2018-20843: It was discovered that the "setElementTypePrefix()" function incorrectly extracted XML namespace prefixes. By tricking an application into processing a specially crafted XML file, an attacker could cause unusually high consumption of memory resources and possibly lead to a denial of service. 1723723: CVE-2018-20843 expat: large number of colons in input makes parser consume high amount of resources, leading to DoS
Remediation
Upgrade expat to version or higher.
References
- CVE
- ALAS2-2020-1513
- Snyk ID
- SNYK-AMZN2-EXPAT-1022768
- Published
- 28 Oct, 2020