Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-40896

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

Published

2024-12-23T17:15:08.400

Last Modified

2025-11-25T13:32:32.960

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.1 (CRITICAL)

Weaknesses

Type: Secondary
CWE-611

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xmlsoft	libxml2	< 2.11.9	Yes
Application	xmlsoft	libxml2	< 2.12.9	Yes
Application	xmlsoft	libxml2	< 2.13.3	Yes
Operating System	netapp	hci_compute_node	-	Yes
Hardware	netapp	hci_compute_node	-	No
Application	netapp	solidfire_\&_hci_management_node	-	Yes
Application	netapp	solidfire_\&_hci_storage_node	-	Yes
Operating System	netapp	h300s_firmware	-	Yes
Hardware	netapp	h300s	-	No
Operating System	netapp	h410s_firmware	-	Yes
Hardware	netapp	h410s	-	No
Operating System	netapp	h500s_firmware	-	Yes
Hardware	netapp	h500s	-	No
Operating System	netapp	h700s_firmware	-	Yes
Hardware	netapp	h700s	-	No
Operating System	netapp	h410c_firmware	-	Yes
Hardware	netapp	h410c	-	No

References

https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6 Issue Tracking ([email protected])
https://gitlab.gnome.org/GNOME/libxml2/-/issues/761 Issue Tracking ([email protected])
https://security.netapp.com/advisory/ntap-20250228-0004/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)