<p>Upgrade <code>Ubuntu:21.10</code> <code>expat</code> to version 2.4.1-2ubuntu0.1 or higher.</p>

Exposure of Resource to Wrong Sphere Affecting expat package, versions <2.4.1-2ubuntu0.1

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS 2.48% (90^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-UBUNTU2110-EXPAT-2403824
published 16 Feb 2022
disclosed 16 Feb 2022

Report a new vulnerability Found a mistake?

Introduced: 16 Feb 2022

CVE-2022-25236 Open this link in a new tab CWE-668 Open this link in a new tab

How to fix?

Upgrade Ubuntu:21.10 expat to version 2.4.1-2ubuntu0.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:21.10 relevant fixed versions and status.

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.