CVE-2018-14404

Public on 2018-07-19

Modified on 2020-08-12

Description

A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing invalid XPath expression. Applications processing untrusted XSL format inputs with the use of libxml2 library may be vulnerable to denial of service attack due to crash of the application.

Severity

Medium

See what this means

CVSS v3 Base Score

6.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	libxml2	2018-09-05 19:31	ALAS-2018-1072
Amazon Linux 1	libxml2	2020-08-10 22:59	ALAS-2020-1415
Amazon Linux 2 - Core	libxml2	2020-07-21 16:34	ALAS2-2020-1466

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	6.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
NVD	CVSSv2	5.0	AV:N/AC:L/Au:N/C:N/I:N/A:P
NVD	CVSSv3	7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2018-14404 Mitre: CVE-2018-14404 FAQs regarding Amazon Linux ALAS/CVE Severity