{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-29T16:07:07.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/libexpat/libexpat/pull/559"}, {"name": "[oss-security] 20220219 Expat 2.4.5 released, includes 5 security fixes", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/02/19/1"}, {"name": "DSA-5085", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5085"}, {"name": "FEDORA-2022-04f206996b", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/"}, {"name": "FEDORA-2022-3d9d67f558", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/"}, {"name": "[debian-lts-announce] 20220307 [SECURITY] [DLA 2935-1] expat security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220303-0008/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf"}, {"name": "GLSA-202209-24", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202209-24"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2022-25315", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/libexpat/libexpat/pull/559", "refsource": "MISC", "url": "https://github.com/libexpat/libexpat/pull/559"}, {"name": "[oss-security] 20220219 Expat 2.4.5 released, includes 5 security fixes", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/02/19/1"}, {"name": "DSA-5085", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5085"}, {"name": "FEDORA-2022-04f206996b", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/"}, {"name": "FEDORA-2022-3d9d67f558", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/"}, {"name": "[debian-lts-announce] 20220307 [SECURITY] [DLA 2935-1] expat security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://security.netapp.com/advisory/ntap-20220303-0008/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220303-0008/"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf"}, {"name": "GLSA-202209-24", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202209-24"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:36:06.823Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/libexpat/libexpat/pull/559"}, {"name": "[oss-security] 20220219 Expat 2.4.5 released, includes 5 security fixes", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/02/19/1"}, {"name": "DSA-5085", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5085"}, {"name": "FEDORA-2022-04f206996b", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/"}, {"name": "FEDORA-2022-3d9d67f558", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/"}, {"name": "[debian-lts-announce] 20220307 [SECURITY] [DLA 2935-1] expat security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220303-0008/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf"}, {"name": "GLSA-202209-24", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202209-24"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-190", "lang": "en", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T13:31:38.236594Z", "id": "CVE-2022-25315", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T16:23:24.594Z"}}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-25315", "datePublished": "2022-02-18T04:24:43.000Z", "dateReserved": "2022-02-18T00:00:00.000Z", "dateUpdated": "2025-05-05T16:23:24.594Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/libexpat/libexpat/pull/559", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2022/02/19/1", "name": "[oss-security] 20220219 Expat 2.4.5 released, includes 5 security fixes", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://www.debian.org/security/2022/dsa-5085", "name": "DSA-5085", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/", "name": "FEDORA-2022-04f206996b", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/", "name": "FEDORA-2022-3d9d67f558", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html", "name": "[debian-lts-announce] 20220307 [SECURITY] [DLA 2935-1] expat security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20220303-0008/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202209-24", "name": "GLSA-202209-24", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:36:06.823Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-25315", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-23T13:31:38.236594Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T13:13:17.164Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/libexpat/libexpat/pull/559", "tags": ["x_refsource_MISC"]}, {"url": "http://www.openwall.com/lists/oss-security/2022/02/19/1", "name": "[oss-security] 20220219 Expat 2.4.5 released, includes 5 security fixes", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://www.debian.org/security/2022/dsa-5085", "name": "DSA-5085", "tags": ["vendor-advisory", "x_refsource_DEBIAN"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/", "name": "FEDORA-2022-04f206996b", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/", "name": "FEDORA-2022-3d9d67f558", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html", "name": "[debian-lts-announce] 20220307 [SECURITY] [DLA 2935-1] expat security update", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_refsource_MISC"]}, {"url": "https://security.netapp.com/advisory/ntap-20220303-0008/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://security.gentoo.org/glsa/202209-24", "name": "GLSA-202209-24", "tags": ["vendor-advisory", "x_refsource_GENTOO"]}], "descriptions": [{"lang": "en", "value": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-09-29T16:07:07.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "n/a"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/libexpat/libexpat/pull/559", "name": "https://github.com/libexpat/libexpat/pull/559", "refsource": "MISC"}, {"url": "http://www.openwall.com/lists/oss-security/2022/02/19/1", "name": "[oss-security] 20220219 Expat 2.4.5 released, includes 5 security fixes", "refsource": "MLIST"}, {"url": "https://www.debian.org/security/2022/dsa-5085", "name": "DSA-5085", "refsource": "DEBIAN"}, {"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/", "name": "FEDORA-2022-04f206996b", "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/", "name": "FEDORA-2022-3d9d67f558", "refsource": "FEDORA"}, {"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html", "name": "[debian-lts-announce] 20220307 [SECURITY] [DLA 2935-1] expat security update", "refsource": "MLIST"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC"}, {"url": "https://security.netapp.com/advisory/ntap-20220303-0008/", "name": "https://security.netapp.com/advisory/ntap-20220303-0008/", "refsource": "CONFIRM"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", "refsource": "CONFIRM"}, {"url": "https://security.gentoo.org/glsa/202209-24", "name": "GLSA-202209-24", "refsource": "GENTOO"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-25315", "STATE": "PUBLIC", "ASSIGNER": "[email protected]"}}}}, "cveMetadata": {"cveId": "CVE-2022-25315", "state": "PUBLISHED", "dateUpdated": "2025-05-05T16:23:24.594Z", "dateReserved": "2022-02-18T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2022-02-18T04:24:43.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*", "matchCriteriaId": "00DE2EDB-AEA7-4BA2-9588-A6C05BE661E4", "versionEndExcluding": "2.4.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DFC79B17-E9D2-44D5-93ED-2F959E7A3D43", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "AD04BEE5-E9A8-4584-A68C-0195CE9C402C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sinema_remote_connect_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "98CC9C9A-FE14-4D50-A8EC-C309229356C8", "versionEndExcluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames."}, {"lang": "es", "value": "En Expat (tambi\u00e9n se conoce como libexpat) versiones anteriores a 2.4.5, se presenta un desbordamiento de enteros en storeRawNames"}], "id": "CVE-2022-25315", "lastModified": "2025-05-05T17:18:01.760", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-02-18T05:15:08.237", "references": [{"source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/02/19/1"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/libexpat/libexpat/pull/559"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html"}, {"source": "[email protected]", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/"}, {"source": "[email protected]", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202209-24"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220303-0008/"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5085"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/02/19/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/libexpat/libexpat/pull/559"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202209-24"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220303-0008/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5085"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-190"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:1309", "cpe": "cpe:/o:redhat:rhel_els:6", "package": "expat-0:2.0.1-14.el6_10", "product_name": "Red Hat Enterprise Linux 6 Extended Lifecycle Support", "release_date": "2022-04-12T00:00:00Z"}, {"advisory": "RHSA-2022:0824", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:91.7.0-3.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-03-10T00:00:00Z"}, {"advisory": "RHSA-2022:0850", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:91.7.0-2.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-03-14T00:00:00Z"}, {"advisory": "RHSA-2022:1069", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "expat-0:2.1.0-14.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-03-28T00:00:00Z"}, {"advisory": "RHSA-2022:0818", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:91.7.0-3.el8_5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-03-10T00:00:00Z"}, {"advisory": "RHSA-2022:0845", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:91.7.0-2.el8_5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-03-14T00:00:00Z"}, {"advisory": "RHSA-2022:7811", "cpe": "cpe:/a:redhat:enterprise_linux:8::crb", "package": "mingw-expat-0:2.4.8-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-11-08T00:00:00Z"}, {"advisory": "RHSA-2022:0951", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "expat-0:2.2.5-4.el8_5.3", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-03-16T00:00:00Z"}, {"advisory": "RHSA-2022:0815", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "firefox-0:91.7.0-3.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-03-10T00:00:00Z"}, {"advisory": "RHSA-2022:0847", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "thunderbird-0:91.7.0-2.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-03-14T00:00:00Z"}, {"advisory": "RHSA-2022:1068", "cpe": "cpe:/o:redhat:rhel_e4s:8.1", "package": "expat-0:2.2.5-3.el8_1.1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-03-28T00:00:00Z"}, {"advisory": "RHSA-2022:0816", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "firefox-0:91.7.0-3.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-03-10T00:00:00Z"}, {"advisory": "RHSA-2022:0843", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "thunderbird-0:91.7.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-03-14T00:00:00Z"}, {"advisory": "RHSA-2022:1070", "cpe": "cpe:/o:redhat:rhel_eus:8.2", "package": "expat-0:2.2.5-3.el8_2.2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-03-28T00:00:00Z"}, {"advisory": "RHSA-2022:0817", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "firefox-0:91.7.0-3.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-03-10T00:00:00Z"}, {"advisory": "RHSA-2022:0853", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "thunderbird-0:91.7.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-03-14T00:00:00Z"}, {"advisory": "RHSA-2022:1012", "cpe": "cpe:/o:redhat:rhel_eus:8.4", "package": "expat-0:2.2.5-4.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-03-22T00:00:00Z"}, {"advisory": "RHBA-2022:4046", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "expat-0:2.2.10-12.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-05-17T00:00:00Z"}, {"advisory": "RHBA-2022:4046", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "expat-0:2.2.10-12.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-05-17T00:00:00Z"}, {"advisory": "RHSA-2022:1263", "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package": "redhat-virtualization-host-0:4.3.22-20220330.1.el7_9", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date": "2022-04-07T00:00:00Z"}, {"advisory": "RHSA-2022:1053", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "redhat-virtualization-host-0:4.4.10-202203211649_8.5", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2022-03-24T00:00:00Z"}, {"advisory": "RHSA-2022:7144", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "expat", "product_name": "Text-Only JBCS", "release_date": "2022-10-26T00:00:00Z"}], "bugzilla": {"description": "expat: Integer overflow in storeRawNames()", "id": "2056363", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2056363"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-190->CWE-787", "details": ["In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.", "An integer overflow was found in expat. The issue occurs in storeRawNames() by abusing the m_buffer expansion logic to allow allocations very close to INT_MAX and out-of-bounds heap writes. This flaw can cause a denial of service or potentially arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "There is no known mitigation other than restricting applications using the expat library from processing untrusted XML content. Please update the affected packages as soon as possible."}, "name": "CVE-2022-25315", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "firefox:flatpak/firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "thunderbird:flatpak/thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "xmlrpc-c", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "xmlrpc-c", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-02-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-25315\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25315\nhttps://blog.hartwork.org/posts/expat-2-4-5-released/"], "statement": "This flaw affects applications that leverage expat to parse untrusted XML files. Applications that only parse trusted XML files or do not process XML files at all are not affected by this flaw.", "threat_severity": "Important"}