xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation (CVE-2022-25235)
22403
30 April 2024
01 August 2023
CLOSED
LOW
9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-25235
|
Brocade Security Advisory ID |
BSA-2023-1868 |
|
Component |
libexpat |
|
|
|
Summary
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
Products Affected
- All versions of Brocade Fabric OS
Note: Root access is required to exploit this vulnerability.
VEX code: Vulnerable_code_cannot_be_controlled_by_adversary
- Brocade ASCG before v3.0
Products Confirmed Not Affected
Brocade SANnav is not affected
Solution
- Brocade Fabric OS
A solution is provided in Brocade Fabric OS v9.2.0, v9.1.1d, v8.2.3e and later versions
- Brocade ASCG
A solution is also provided in Brocade ASCG v3.0
Revision History
|
Version |
Change |
Date |
|
1.0 |
Initial Publication |
August 1, 2023 |
|
2.0 |
update version nformation + ASCG + v9.1.1d |
April 26, 2024 |
|
3.0 |
updated severity to Low (Not Exploitable) and added v8.2.3e |
April 30, 2024 |
Disclaimersecurity update