expat (SUSE:Linux Enterprise Server for SAP Applications 12 SP4) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Server for SAP Applications 12 SP4 package expat, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (19)
CVE-2022-25235 — CVSS 9.8 (critical): xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is…
CVE-2022-23852 — CVSS 9.8 (critical): Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
CVE-2022-25236 — CVSS 9.8 (critical): xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
CVE-2021-45960 — CVSS 8.8 (high): In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc…
CVE-2021-46143 — CVSS 8.1 (high): In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
CVE-2022-43680 — CVSS 7.5 (high): In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in…
CVE-2019-15903 — CVSS 7.5 (high): In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a…
CVE-2018-20843 — CVSS 7.5 (high): In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a…
CVE-2022-25313 — CVSS 6.5 (medium): In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.