CVE-2018-14404

Public on 2018-07-19
Modified on 2020-08-12
Description
A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing invalid XPath expression. Applications processing untrusted XSL format inputs with the use of libxml2 library may be vulnerable to denial of service attack due to crash of the application.
Severity
Medium severity
Medium
CVSS v3 Base Score
6.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 libxml2 2018-09-05 ALAS-2018-1072 Fixed
Amazon Linux 1 libxml2 2020-08-10 ALAS-2020-1415 Fixed
Amazon Linux 2 - Core libxml2 2020-07-21 ALAS2-2020-1466 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
NVD CVSSv2 5.0 AV:N/AC:L/Au:N/C:N/I:N/A:P
NVD CVSSv3 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H