{"id":"CVE-2024-40896","details":"In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting \"checked\"). This makes classic XXE attacks possible.","aliases":["BIT-java-2024-40896","BIT-java-min-2024-40896","BIT-jre-2024-40896"],"modified":"2026-05-28T04:09:54.865480954Z","published":"2024-12-23T00:00:00Z","related":["CGA-m9jv-h669-37vg","SUSE-SU-2025:20116-1","SUSE-SU-2025:20418-1","USN-7215-1","openSUSE-SU-2024:14241-1","openSUSE-SU-2024:14611-1","openSUSE-SU-2025:0024-1"],"database_specific":{"cwe_ids":["CWE-611"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40896.json","cna_assigner":"mitre","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"2.11.0"},{"fixed":"2.11.9"},{"introduced":"2.12.0"},{"fixed":"2.12.9"},{"introduced":"2.13.0"},{"fixed":"2.13.3"}]},{"source":"DESCRIPTION","extracted_events":[{"introduced":"2.11"},{"fixed":"2.11.9"},{"introduced":"2.12"},{"fixed":"2.12.9"},{"introduced":"2.13"},{"fixed":"2.13.3"}]}]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40896.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40896"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250228-0004/"},{"type":"REPORT","url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/761"},{"type":"FIX","url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gnome/libxml2","events":[{"introduced":"f296934ade688baab79caf1c62a82149ad78accf"},{"fixed":"954e851e1d8d1f4c1dfbdf043623b3c11a1c723c"},{"introduced":"5e9b167dce73bd6a804ab107ae4c4b95e6849597"},{"fixed":"00301f0fe8bccdb9945fb684e9bbd72449b961a5"},{"introduced":"cdd2575f7fbab1d8162600f4048bc37503c80e28"},{"fixed":"3b1742b8391e966be780bdc43fdf959f7b3a118c"}],"database_specific":{"cpe":"cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*","source":"CPE_RANGE","extracted_events":[{"introduced":"2.11.0"},{"fixed":"2.11.9"},{"introduced":"2.12.0"},{"fixed":"2.12.9"},{"introduced":"2.13.0"},{"fixed":"2.13.3"}]}}],"versions":["v2.11.8","v2.13.2","v2.12.8","v2.13.1","v2.13.0","v2.12.7","v2.11.7","v2.12.6","v2.12.5","v2.12.4","v2.12.3","v2.12.2","v2.12.1","v2.11.6","v2.12.0","v2.11.5","v2.11.4","v2.11.3","v2.11.2","v2.11.1","v2.11.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40896.json"}},{"ranges":[{"type":"GIT","repo":"https://gitlab.gnome.org/gnome/libxml2","events":[{"introduced":"0"},{"fixed":"1a8932303969907f6572b1b6aac4081c56adb5c6"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v2.13.0","v2.12.0","v2.11.0","v2.10.0","v2.9.13","v2.9.12","v2.9.11","CVE-2021-3541","v2.9.10","v2.9.10-rc1","v2.9.9","v2.9.9-rc2","v2.9.9-rc1","v2.9.8","v2.9.8-rc1","v2.9.7","v2.9.7-rc1","v2.9.6","v2.9.6-rc1","v2.9.5","v2.9.5-rc2","v2.9.5-rc1","v2.9.4","CVE-2016-3627","CVE-2016-1833","CVE-2016-1835","CVE-2016-1837","CVE-2016-1836","CVE-2016-1839","CVE-2016-1838","CVE-2016-1840","CVE-2016-4449","CVE-2016-4483","CVE-2016-1834","CVE-2016-3705","v2.9.4-rc2","v2.9.4-rc1","CVE-2016-1762","v2.9.3","CVE-2015-8242","CVE-2015-7500","CVE-2015-7499-2","CVE-2015-7499-1","CVE-2015-5312","CVE-2015-7497","CVE-2015-7498","CVE-2015-8035","CVE-2015-7942-2","CVE-2015-7942","CVE-2015-8317","CVE-2015-1819","CVE-2015-7941_2","CVE-2015-7941_1","v2.9.2","CVE-2014-3660","v2.9.2-rc2","v2.9.2-rc1","CVE-2014-0191","v2.9.1","CVE-2013-2877","v2.9.0","v2.9.0-rc2","v2.8.0","v2.8.0-rc2","v2.8.0-rc1","v2.7.8","v2.7.7","v2.7.6","v2.7.5","v2.7.4","LIBXML2.7.3","LIBXML2.7.2","LIBXML2.7.1","LIBXML2.7.0","LIBXML2.6.32","LIBXML2_2_6_28","LIBXML2_2_6_27","LIBXML2_2_6_26","LIBXML2_2_6_24","LIBXML2_2_6_23","LIBXML2_2_6_22","LIBXML2_2_6_21","LIBXML2_2_6_20","LIBXML2_2_6_19","LIBXML2_2_6_18","LIBXML2_2_6_16","LIBXML2_2_6_15","LIBXML2_2_6_14","LIBXML2_2_6_13","LIBXML2_2_6_12","LIBXML2_2_6_11","LIBXML_2_6_10","LIBXML2_2_6_9","LIBXML2_2_6_8","LIBXML2_2_6_7","LIBXML2_2_6_6","LIBXML2_2_6_5","LIBXML2_2_6_4","LIBXML2_2_6_3","LIBXML2_2_6_2","LIBXML2_2_6_1","LIBXML2_6_0","LIBXML2_2_5_x","LIBXML2_2_5_10","LIBXML2_2_5_9","LIBXML2_2_5_8","LIBXML2_2_5_7","LIBXML_2_5_6","LIBXML_2_5_5","LIBXML_2_5_4","LIBXML_2_5_3","LIBXML_2_5_2","LIBXML_2_5_1","LIBXML2_2_5_0","LIBXML_2_4_30","LIBXML_2_4_29","LIBXML_2_4_27","LIBXML_2_4_26","LIBXML_2_4_25","LIBXML_2_4_24","LIBXML_2_4_23","LIBXML_2_4_22","LIBXML2_2_4_21","LIBXML_2_4_20","LIBXML_2_4_18","LIBXML_2_4_13","LIBXML_2_4_16","LIBXML_2_4_14","LIBXML_2_4_12","LIBXML_2_4_11","LIBXML_2_4_7","LIBXML_2_4_6","LIBXML_2_4_4","LIBXML_2_4_3","LIBXML_2_4_2","LIBXML_2_4_0","LIBXML_2_3_14","LIBXML_2_3_13","LIBXML_2_3_12","LIBXML_2_3_11","LIBXML_2_3_10","LIBXML_2_3_9","LIBXML_2_3_8","help","LIBXML_2_3_7","LIBXML_2_3_6","LIBXML_2_3_5","LIBXML_2_3_4","LIBXML_2_3_3","LIBXML_2_3_2","PRE_MUCKUP3","PRE_MUCKUP2","PRE_MUCKUP","LIBXML_2_3_0","LIBXML_2_2_8","LIBXML_2_2_7","LIBXML_2_2_6","LIBXML_2_2_4","GNOME_PRINT_0_24","LIBXML_2_2_3","LIBXML_2_2_1","LIBXML_2_1_1","LIBXML_2_1_0","LIB_XML_1_X","EAZEL-NAUTILUS-MS-AUG07","LIBXML_2_0_0","LIBXML_TEST_2_0_0","LIBXML_1_8_6","LIBXML_1_8_5","LIB_XML_1_8_3","LIB_XML_1_7_3","LIB_XML_1_7_1","LIB_XML_1_7_0","LIB_XML_1_6_2","LIB_XML_1_6_1","LIBXML_1_5_0","LIB_XML_1_4","LIB_XML_1_3","LIB_XML_1_1","FOR_GNOME_0_99_1","LIBXML_0_99","GNUMERIC_FIRST_PUBLIC_RELEASE","GNOME_0_30"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40896.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}]}