CVE-2013-1864

high

Description

The Portable Tool Library (aka PTLib) before 2.10.10, as used in Ekiga before 4.0.1, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted PXML document containing a large number of nested entity references, aka a "billion laughs attack."

References

https://www.suse.com/support/update/announcement/2014/suse-su-20140237-1.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/82885

http://www.securityfocus.com/bid/58520

http://www.ekiga.org/news/2013-02-21/ekiga-4.0.1-stable-available

http://secunia.com/advisories/52659

http://seclists.org/oss-sec/2013/q1/674

http://osvdb.org/91439

http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099553.html

Details

Source: Mitre, NVD

Published: 2014-05-23

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High