Medium severity6.5NVD Advisory· Published Aug 27, 2008· Updated Apr 23, 2026

CVE-2008-3281

Description

libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.

Affected products

Xmlsoft/Libxml2
cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*
Range: <=2.6.32
Apple Inc./Safari
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Range: <4.0
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: >=1.0.0,<3.0
Fedoraproject/Fedora
cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*
Canonical (company)/Ubuntu Linux4 versions
cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:*:*:*:*
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Desktop3 versions
cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Eus2 versions
cpe:2.3:o:redhat:enterprise_linux_eus:4.7:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_eus:4.7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:5.2:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Server4 versions
cpe:2.3:o:redhat:enterprise_linux_server:2.0:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:redhat:enterprise_linux_server:2.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:3.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Workstation4 versions
cpe:2.3:o:redhat:enterprise_linux_workstation:2.0:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:redhat:enterprise_linux_workstation:2.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
VMware/Esx4 versions
cpe:2.3:o:vmware:esx:2.5.4:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:vmware:esx:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:esx:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:esx:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:esx:3.0.3:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

mail.gnome.org/archives/xml/2008-August/msg00034.htmlnvdMailing ListPatch
www.securityfocus.com/bid/30783nvdBroken LinkPatchThird Party AdvisoryVDB Entry
security.gentoo.org/glsa/glsa-200812-06.xmlnvdThird Party Advisory
support.apple.com/kb/HT3613nvdThird Party Advisory
support.apple.com/kb/HT3639nvdThird Party Advisory
www.debian.org/security/2008/dsa-1631nvdMailing ListThird Party Advisory
www.securityfocus.com/archive/1/497962/100/0/threadednvdBroken LinkThird Party AdvisoryVDB Entry
www.securitytracker.com/idnvdBroken LinkThird Party AdvisoryVDB Entry
www.ubuntu.com/usn/usn-640-1nvdThird Party Advisory
www.vmware.com/security/advisories/VMSA-2008-0017.htmlnvdThird Party Advisory
rhn.redhat.com/errata/RHSA-2008-0836.htmlnvdThird Party Advisory
lists.apple.com/archives/security-announce/2009/Jun/msg00005.htmlnvdMailing List
lists.apple.com/archives/security-announce/2009/jun/msg00002.htmlnvdBroken LinkMailing List
lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.htmlnvdMailing List
lists.vmware.com/pipermail/security-announce/2008/000039.htmlnvdBroken Link
secunia.com/advisories/31558nvdBroken Link
secunia.com/advisories/31566nvdBroken Link
secunia.com/advisories/31590nvdBroken Link
secunia.com/advisories/31728nvdBroken Link
secunia.com/advisories/31748nvdBroken Link
secunia.com/advisories/31855nvdBroken Link
secunia.com/advisories/31982nvdBroken Link
secunia.com/advisories/32488nvdBroken Link
secunia.com/advisories/32807nvdBroken Link
secunia.com/advisories/32974nvdBroken Link
secunia.com/advisories/35379nvdBroken Link
svn.gnome.org/viewvc/libxml2nvdBroken Link
wiki.rpath.com/Advisories:rPSA-2008-0325nvdBroken Link
www.mandriva.com/security/advisoriesnvdBroken Link
www.mandriva.com/security/advisoriesnvdBroken Link
www.vupen.com/english/advisories/2008/2419nvdBroken Link
www.vupen.com/english/advisories/2008/2843nvdBroken Link
www.vupen.com/english/advisories/2008/2971nvdBroken Link
www.vupen.com/english/advisories/2009/1522nvdBroken Link
www.vupen.com/english/advisories/2009/1621nvdBroken Link
xmlsoft.org/news.htmlnvdRelease Notes
bugzilla.redhat.com/show_bug.cginvdIssue Tracking
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6496nvdBroken Link
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9812nvdBroken Link
usn.ubuntu.com/644-1/nvdBroken Link
www.redhat.com/archives/fedora-package-announce/2008-September/msg00261.htmlnvdMailing List
www.redhat.com/archives/fedora-package-announce/2008-September/msg00347.htmlnvdMailing List

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000