CVE-2023-52426
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-52426
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52426.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-52426
- Downstream
- Related
- Published
- 2024-02-04T20:15:46Z
- Modified
- 2025-11-06T06:15:24.700091Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.
- References
-
- https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404
- https://github.com/libexpat/libexpat/pull/777
- https://security.netapp.com/advisory/ntap-20240307-0005/
- https://cwe.mitre.org/data/definitions/776.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/
Affected packages
Git / github.com/libexpat/libexpat
Affected ranges
- Type
- GIT
- Repo
- https://github.com/libexpat/libexpat
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
REC1_0
R_1_95_0
R_1_95_2
R_1_95_3
R_1_95_4
R_1_95_5
R_1_95_6
R_1_95_7
R_1_95_8
R_2_0_0
R_2_0_1
R_2_1_0
R_2_1_1
R_2_2_0
R_2_2_1
R_2_2_10
R_2_2_2
R_2_2_3
R_2_2_4
R_2_2_5
R_2_2_6
R_2_2_7
R_2_2_8
R_2_2_9
R_2_3_0
R_2_4_0
R_2_4_1
R_2_4_2
R_2_4_3
R_2_4_4
R_2_4_5
R_2_4_6
R_2_4_7
R_2_4_8
R_2_4_9
R_2_5_0
V1990307
V19981122
V19981231
V19990109
V19990425
V19990626
V19990709
V19990728
V19991013
V1_0
V1_1
V20000512
beta2
beta3
beta4
jclark-orig
libexpat-alpha-1
sourceforge_init
start
Database specific
vanir_signatures
[
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-07a56893",
"digest": {
"function_hash": "21966163000585031404932848159552191475",
"length": 3823.0
},
"target": {
"function": "appendAttributeValue",
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"id": "CVE-2023-52426-0edef637",
"digest": {
"threshold": 0.9,
"line_hashes": [
"99170557276827328915359870967174810496",
"136066061864242532683744951583020889207",
"134606419353113292048592079239075672829",
"236118028373682275540784275705656048129",
"44278453969947468552646259917277427384",
"104589846590859150023905579863205474011",
"153490090288632883454409844191213079938",
"112945941316001198084342545926122402643",
"77284758925616972044537129805180903744",
"150048432160285165557519879328641856881",
"190245947072112426416021585838994201692",
"104589846590859150023905579863205474011",
"249332184506560023727685091106500490755",
"295772562926034050803350554916854023190",
"214258367365239007026450089327161462422",
"108597736437782983765730004115346272066",
"261918219823180450547592852914521123819",
"266837607272318866114748356118365684786",
"214550537703738826980496686127756429871",
"272578927542326114766698865696611651767",
"91475294762464158698010855597285041466",
"196823543823044432516831074579393685929"
]
},
"target": {
"file": "expat/xmlwf/xmlwf.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-2a6c93b8",
"digest": {
"function_hash": "132562740846339807628217901171322105292",
"length": 1016.0
},
"target": {
"function": "externalEntityInitProcessor2",
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-41cd4ffc",
"digest": {
"function_hash": "50371684883304735445359904865404696495",
"length": 2912.0
},
"target": {
"function": "doCdataSection",
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-4de2d6b2",
"digest": {
"function_hash": "109939025514700382941458758518269281345",
"length": 7140.0
},
"target": {
"function": "tmain",
"file": "expat/xmlwf/xmlwf.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-5ae86902",
"digest": {
"function_hash": "134248216409912112811267870647432738034",
"length": 1425.0
},
"target": {
"function": "XML_GetFeatureList",
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-5c62814c",
"digest": {
"function_hash": "282899842159912198801588995787703417584",
"length": 1831.0
},
"target": {
"function": "epilogProcessor",
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"id": "CVE-2023-52426-67d30ec3",
"digest": {
"threshold": 0.9,
"line_hashes": [
"71470374413210588405323986431112842828",
"337261555162191464860294667388774008685",
"90953095833824153590009788373452013370",
"175195391156327468298071371566074894129",
"76178541907845056912501183026084487774",
"221092645912663499771250235038706703492",
"113545008849319699889349419472208631909",
"98870925420417191591203134792101301995",
"133035178292319448542162690129691702632",
"211770681343881259420375171302889044224",
"108745352929457887336682872942504980595",
"242827216036656684640872613508940326587",
"93732945298061120895004024804961600127",
"3471409761095238342208182322033851547",
"159514480215970528543907738294460736774",
"115685320627613433569085127717524674050",
"61158784747551808404566372858676583583",
"117241986879424566691766463754560905269",
"323674543514489456567002776184199430320",
"324998795399128069914348692129914696155",
"21335650373902663991721063679088807716",
"233503972970214895405248035163813231265",
"335443464780141440412191413786238732121",
"159779937905260529171019305828358958942",
"57256754346090338307840987587692477332",
"228499349125954499268478914590458720715",
"317168818769979825624043768258281534527",
"265225051301411033449427186292250953277",
"119575798615460410118395468421552152866",
"126060255622488245268709610241247177287",
"284701892848792187260781684871252422326",
"14161146363970034022545023784357790875",
"99486388555778093763249850927954151509",
"127802229017105644860536088488303087436",
"179204255350529238786975520336471761485",
"175672709753091155851177848675339086851",
"162961126005280385056710015889612347674",
"232028154735277607165481756653484489915",
"322457299150233962468208513022911516679",
"294407076791430514239428215683212887716",
"166002024288968766788798010948061178619",
"103018685048674873090477231638819114804",
"2302111037287434728852978454010218606",
"104206560896081305606054513829941894695",
"98878451520024838410341254418941447489",
"326477695875920677849897323439928667495",
"305158175563818199076586195314385627035",
"226096967595985210070130767028688713447",
"31317323190565944990166389543900684302",
"144133579135571011206597003348943905307",
"129399981165231711358820923717600720536",
"61878344685881244619876525364427816443",
"207692712754966414774112772154147277068",
"10238116192606974126143543924599327067",
"94123859369786126475893696766326832081",
"56331959760599407760063874204716790752",
"90176241890549262661640503882503594016",
"21292563945727791699253567697790478155",
"98193614674505577597638347618659735390",
"208667214443592899205047573438057360395",
"301385951691828881619162363643348469499",
"180691338273631567336054571120084762164",
"263255664921410625923341113985402586598",
"88359034494937012169745783738819516642",
"208924561298611273227412473050421102413",
"336912426789446284871160287367601859306",
"191060537614830460252800665782174539468",
"47546216522709058431166381468339811273",
"37782226598410609999322293432809836543",
"283237294328805626406441510625886559735",
"95879444117711867341045345440253095982",
"82006720794344664130942445801685008865",
"331658681698370591961974461880813743983",
"336912426789446284871160287367601859306",
"334124948763274882690755682912468066455",
"84908592487474151507069383424897308589",
"280536224345506024758694447605989134584",
"66922090964008686473409403068397833137",
"316210131061258616982164409735752605056",
"295394163847125417202226501611134511556",
"12950873223598158010025519323430021980",
"255963171832262274747489386111978969483",
"55853291833024032974787872991353733073",
"30150133598152738910492269979764114047",
"263711151413668092123530851036395973293",
"10989517053017465257608803484471618489",
"207444796441782881049362141083953330836",
"236618585548359545535953452940012206350",
"282590948519116082527888064830270109590",
"269824899401164434690585234687330920155",
"142895070342382765062277800581174043859",
"49696943650598843027077395268272015783",
"190918191132295502043760388950323630823",
"153047925165985383542369773632216500423",
"106911162135484423834547787595148161857",
"184176876535888842883326215750472412372",
"162420003695981970933081212565655791931",
"119727776920727109620811649952094559036",
"274531878762653862040978495239726369484",
"125362517545233914572884304232569768675",
"6937938252354647205217597162489314278",
"279406784023095523980197485836557814768",
"225249050265902479286020998410884839729",
"145687299947099659631371114291057535029",
"175186720645079118924080722953904932089",
"132783597513205059304008775908132967776",
"207692712754966414774112772154147277068",
"10238116192606974126143543924599327067",
"94123859369786126475893696766326832081",
"126596284963552908281879182267889296837",
"61288260371558299991482072612057164332",
"145676420602119428764402936896891550610",
"209507981101104714388175158184027470543",
"86368509502637621836284260318152471398",
"282590948519116082527888064830270109590",
"312527769057514186658143150699533160277",
"12660608443303867625630499952750117217",
"134745722671749816839802761627795140169",
"323515640490943074806855938133780414802",
"293571956050000104555413097110290948246",
"3692363625333745794249651615565359496",
"234252127058578059667749384041252978240",
"125362517545233914572884304232569768675",
"326287392283338404901546536107878366557",
"116280059104785101574687855584398506882",
"255114241589935637583713086478653424485",
"60466400186969965512486411280662757066",
"275413527466240942749343557114054124163",
"323554653962258761621752706009928669399",
"241842506098042367310965479606089707712",
"6174603590383472394931013997306663213",
"64573329259082959859314497699107763700",
"168499664711524123292638033371058505569",
"103432382028960920778420848302667583850",
"96787218619602428033218364235868879967"
]
},
"target": {
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-77b9627d",
"digest": {
"function_hash": "159255620538921627367732027319109476102",
"length": 1769.0
},
"target": {
"function": "processInternalEntity",
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"id": "CVE-2023-52426-8eaf1fd9",
"digest": {
"threshold": 0.9,
"line_hashes": [
"150456016791797429903212649384096341610",
"253473976081072359424296733550593311895",
"61353209645823738982669675580078580358",
"268433607375412296606602598167059935488",
"210623140644525091877893797238405137695",
"41838725246221933037827158626614924246",
"177937653506235826962414665870806473005"
]
},
"target": {
"file": "expat/lib/expat.h"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-930f9228",
"digest": {
"function_hash": "163909581757202033941923154444626906707",
"length": 28790.0
},
"target": {
"function": "doProlog",
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-94101eab",
"digest": {
"function_hash": "182246409033957346525094809584405957015",
"length": 1426.0
},
"target": {
"function": "doIgnoreSection",
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-9e641761",
"digest": {
"function_hash": "174327787156966667290717172171364281526",
"length": 2325.0
},
"target": {
"function": "processXmlDecl",
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-ba07a9f1",
"digest": {
"function_hash": "2576277895491768345022417926785804741",
"length": 3278.0
},
"target": {
"function": "parserInit",
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-c9ddf77b",
"digest": {
"function_hash": "3133245618331857616305689339381325920",
"length": 1444.0
},
"target": {
"function": "entityValueInitProcessor",
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"id": "CVE-2023-52426-d1e91dcb",
"digest": {
"threshold": 0.9,
"line_hashes": [
"87009556943387016105424136463568289485",
"293808254575373989417206695675551424514",
"64935393798895274116637563817998587663",
"140770519928116757280849590997307451550"
]
},
"target": {
"file": "expat/lib/internal.h"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-d8cbaa07",
"digest": {
"function_hash": "262330051084319543839054590361516848344",
"length": 4061.0
},
"target": {
"function": "storeEntityValue",
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-de4f75fb",
"digest": {
"function_hash": "95463951740735094791439300279084957718",
"length": 2115.0
},
"target": {
"function": "internalEntityProcessor",
"file": "expat/lib/xmlparse.c"
}
},
{
"source": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2023-52426-f9b4cf80",
"digest": {
"function_hash": "254915876699853307597646663337837718187",
"length": 12569.0
},
"target": {
"function": "doContent",
"file": "expat/lib/xmlparse.c"
}
}
]