CVE-2014-2053
Description
getID3() before 1.9.8, used in ownCloud Server before 5.0.15/6.0.2, allows XXE attacks leading to arbitrary file reads or DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
getID3() before 1.9.8, used in ownCloud Server before 5.0.15/6.0.2, allows XXE attacks leading to arbitrary file reads or DoS.
Vulnerability
The getID3() library before version 1.9.8, as bundled in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, contains an XML External Entity (XXE) vulnerability [1][2]. The library improperly restricts XML external entity references when parsing XML-based file formats (such as Ogg, Matroska, or other media metadata) [1][4]. This allows an attacker to supply a crafted file that includes a malicious DOCTYPE declaration with external entities, which the library then processes without validation [4].
Exploitation
To exploit this vulnerability, an attacker must be able to upload or provide a specially crafted media file to an ownCloud instance or any application using the vulnerable getID3() library [2][3]. No authentication is required if the target application allows anonymous file uploads; otherwise, a valid user account may be needed. The attacker crafts a media file (e.g., an MP3, Ogg, or other supported format) that includes an XML structure with an XXE payload referencing an external file or resource [4]. When ownCloud or the application processes the file using getID3(), the XML parser expands the external entity, leading to the exploitation.
Impact
Successful exploitation allows a remote attacker to read arbitrary files from the server filesystem (e.g., configuration files, sensitive data), cause a denial of service (e.g., by consuming resources through entity expansion), or potentially achieve other impacts depending on the PHP configuration and the attacker's control over XML parsing [2]. The attack targets the web server's privileges, so file reads are limited to what the web server user can access.
Mitigation
The fix was released in getID3 version 1.9.8 and ownCloud Server versions 5.0.15 and 6.0.2 [2][4]. The commit [4] improves the handling of XML parsing to disable external entity loading by default. Users should upgrade ownCloud to version 5.0.15 or later, or 6.0.2 or later, and ensure the bundled getID3 library is updated to 1.9.8 or later [2][3]. If upgrading is not immediately possible, a workaround is to disable file uploads that require XML parsing, but this may not be practical; patching is strongly recommended.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
james-heinrich/getid3Packagist | < 1.9.9 | 1.9.9 |
Affected products
28cpe:2.3:a:getid3:getid3:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:getid3:getid3:*:*:*:*:*:*:*:*range: <=1.9.7
- cpe:2.3:a:getid3:getid3:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:getid3:getid3:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:getid3:getid3:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:getid3:getid3:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:getid3:getid3:1.9.4:b1:*:*:*:*:*:*
- cpe:2.3:a:getid3:getid3:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:getid3:getid3:1.9.6:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:*:a:*:*:*:*:*:*range: <=5.0.14
- (no CPE)range: <5.0.15 (<5.0.15) or >=6.0.0,<6.0.2
Patches
1afbdaa044a9aimproved XXE fix (CVE-2014-2053)
2 files changed · +721 −720
changelog.txt+712 −710 modifiedgetid3/getid3.lib.php+9 −10 modified@@ -519,16 +519,15 @@ public static function array_min($arraydata, $returnkey=false) { } public static function XML2array($XMLstring) { - if (function_exists('simplexml_load_string')) { - if (function_exists('get_object_vars')) { - if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11) - // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html - libxml_disable_entity_loader(true); - } - $XMLobject = simplexml_load_string($XMLstring); - return self::SimpleXMLelement2array($XMLobject); - } - } + if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) { + // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html + // https://core.trac.wordpress.org/changeset/29378 + $loader = libxml_disable_entity_loader(true); + $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT); + $return = self::SimpleXMLelement2array($XMLobject); + libxml_disable_entity_loader($loader); + return $return; + } return false; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- owncloud.org/about/security/advisories/oC-SA-2014-006/nvdVendor Advisory
- github.com/advisories/GHSA-5v43-55m5-qr8fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-2053ghsaADVISORY
- getid3.sourceforge.net/source/changelog.txtnvdWEB
- owncloud.org/about/security/advisories/oC-SA-2014-006ghsaWEB
- secunia.com/advisories/58002nvdWEB
- www.debian.org/security/2014/dsa-3001nvdWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/james-heinrich/getid3/CVE-2014-2053.yamlghsaWEB
- github.com/JamesHeinrich/getID3/commit/afbdaa044a9a0a9dff2f800bd670e231b3ec99b2ghsaWEB
- wordpress.org/news/2014/08/wordpress-3-9-2ghsaWEB
- wordpress.org/news/2014/08/wordpress-3-9-2/nvd
News mentions
0No linked articles in our index yet.