{ "threat_severity" : "Low", "public_date" : "2015-04-23T00:00:00Z", "bugzilla" : { "description" : "perl-XML-LibXML: \"expand_entities\" option was not preserved under some circumstances", "id" : "1216112", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1216112" }, "cvss" : { "cvss_base_score" : "2.6", "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status" : "draft" }, "cwe" : "CWE-611", "details" : [ "The _clone function in XML::LibXML before 2.0119 does not properly set the expand_entities option, which allows remote attackers to conduct XML external entity (XXE) attacks via crafted XML data to the (1) new or (2) load_xml function." ], "statement" : "This issue affects the versions of perl-XML-LibXML as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "perl-XML-LibXML", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Will not fix", "package_name" : "perl-XML-LibXML", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "perl-XML-LibXML", "cpe" : "cpe:/o:redhat:enterprise_linux:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-3451\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-3451" ], "name" : "CVE-2015-3451", "mitigation" : { "value" : "This issue only affects programs using this program in forms such as:\n$parser = XML::LibXML->new\nor \n$XML_DOC = $parser->load_xml\nif you use the form:\n$XML_DOC = XML::LibXML->load_xml\nthis vulnerability will not be exposed.", "lang" : "en:us" }, "csaw" : false }