ALAS2-2020-1513

Affecting expat package, versions <2.1.0-12.amzn2

Report new vulnerabilities
medium severity
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1513. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-15903: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. 1752592: CVE-2019-15903 expat: heap-based buffer over-read via crafted XML input CVE-2018-20843: It was discovered that the "setElementTypePrefix()" function incorrectly extracted XML namespace prefixes. By tricking an application into processing a specially crafted XML file, an attacker could cause unusually high consumption of memory resources and possibly lead to a denial of service. 1723723: CVE-2018-20843 expat: large number of colons in input makes parser consume high amount of resources, leading to DoS

Remediation

Upgrade expat to version or higher.

References

CVE
ALAS2-2020-1513
Snyk ID
SNYK-AMZN2-EXPAT-1022768
Published
28 Oct, 2020