VAR-202210-1070
Vulnerability from variot - Updated: 2026-04-10 23:25An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. It is written in C language and can be called by many languages, such as C language, C++, XSH. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. Summary:
OpenShift API for Data Protection (OADP) 1.1.2 is now available. Description:
OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/):
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
- JIRA issues fixed (https://issues.jboss.org/):
OADP-1056 - DPA fails validation if multiple BSLs have the same provider OADP-1150 - Handle docker env config changes in the oadp-operator OADP-1217 - update velero + restic to 1.9.5 OADP-1256 - Backup stays in progress status after restic pod is restarted due to OOM killed OADP-1289 - Restore partially fails with error "Secrets \"deployer-token-rrjqx\" not found" OADP-290 - Remove creation/usage of velero-privileged SCC
- Description:
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Bugs fixed (https://bugzilla.redhat.com/):
2160492 - CVE-2023-22482 ArgoCD: JWT audience claim is not verified 2162517 - CVE-2023-22736 argocd: Controller reconciles apps outside configured namespaces when sharding is enabled
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: libxml2 security update Advisory ID: RHSA-2023:0338-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:0338 Issue date: 2023-01-23 CVE Names: CVE-2022-40303 CVE-2022-40304 ==================================================================== 1. Summary:
An update for libxml2 is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64
- Description:
The libxml2 library is a development toolbox providing the implementation of various XML standards.
Security Fix(es):
-
libxml2: integer overflows with XML_PARSE_HUGE (CVE-2022-40303)
-
libxml2: dict corruption caused by entity reference cycles (CVE-2022-40304)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
The desktop must be restarted (log out, then log back in) for this update to take effect.
- Bugs fixed (https://bugzilla.redhat.com/):
2136266 - CVE-2022-40303 libxml2: integer overflows with XML_PARSE_HUGE 2136288 - CVE-2022-40304 libxml2: dict corruption caused by entity reference cycles
- Package List:
Red Hat Enterprise Linux AppStream (v. 9):
aarch64: libxml2-debuginfo-2.9.13-3.el9_1.aarch64.rpm libxml2-debugsource-2.9.13-3.el9_1.aarch64.rpm libxml2-devel-2.9.13-3.el9_1.aarch64.rpm python3-libxml2-debuginfo-2.9.13-3.el9_1.aarch64.rpm
ppc64le: libxml2-debuginfo-2.9.13-3.el9_1.ppc64le.rpm libxml2-debugsource-2.9.13-3.el9_1.ppc64le.rpm libxml2-devel-2.9.13-3.el9_1.ppc64le.rpm python3-libxml2-debuginfo-2.9.13-3.el9_1.ppc64le.rpm
s390x: libxml2-debuginfo-2.9.13-3.el9_1.s390x.rpm libxml2-debugsource-2.9.13-3.el9_1.s390x.rpm libxml2-devel-2.9.13-3.el9_1.s390x.rpm python3-libxml2-debuginfo-2.9.13-3.el9_1.s390x.rpm
x86_64: libxml2-debuginfo-2.9.13-3.el9_1.i686.rpm libxml2-debuginfo-2.9.13-3.el9_1.x86_64.rpm libxml2-debugsource-2.9.13-3.el9_1.i686.rpm libxml2-debugsource-2.9.13-3.el9_1.x86_64.rpm libxml2-devel-2.9.13-3.el9_1.i686.rpm libxml2-devel-2.9.13-3.el9_1.x86_64.rpm python3-libxml2-debuginfo-2.9.13-3.el9_1.i686.rpm python3-libxml2-debuginfo-2.9.13-3.el9_1.x86_64.rpm
Red Hat Enterprise Linux BaseOS (v. 9):
Source: libxml2-2.9.13-3.el9_1.src.rpm
aarch64: libxml2-2.9.13-3.el9_1.aarch64.rpm libxml2-debuginfo-2.9.13-3.el9_1.aarch64.rpm libxml2-debugsource-2.9.13-3.el9_1.aarch64.rpm python3-libxml2-2.9.13-3.el9_1.aarch64.rpm python3-libxml2-debuginfo-2.9.13-3.el9_1.aarch64.rpm
ppc64le: libxml2-2.9.13-3.el9_1.ppc64le.rpm libxml2-debuginfo-2.9.13-3.el9_1.ppc64le.rpm libxml2-debugsource-2.9.13-3.el9_1.ppc64le.rpm python3-libxml2-2.9.13-3.el9_1.ppc64le.rpm python3-libxml2-debuginfo-2.9.13-3.el9_1.ppc64le.rpm
s390x: libxml2-2.9.13-3.el9_1.s390x.rpm libxml2-debuginfo-2.9.13-3.el9_1.s390x.rpm libxml2-debugsource-2.9.13-3.el9_1.s390x.rpm python3-libxml2-2.9.13-3.el9_1.s390x.rpm python3-libxml2-debuginfo-2.9.13-3.el9_1.s390x.rpm
x86_64: libxml2-2.9.13-3.el9_1.i686.rpm libxml2-2.9.13-3.el9_1.x86_64.rpm libxml2-debuginfo-2.9.13-3.el9_1.i686.rpm libxml2-debuginfo-2.9.13-3.el9_1.x86_64.rpm libxml2-debugsource-2.9.13-3.el9_1.i686.rpm libxml2-debugsource-2.9.13-3.el9_1.x86_64.rpm python3-libxml2-2.9.13-3.el9_1.x86_64.rpm python3-libxml2-debuginfo-2.9.13-3.el9_1.i686.rpm python3-libxml2-debuginfo-2.9.13-3.el9_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-40303 https://access.redhat.com/security/cve/CVE-2022-40304 https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc. Bugs fixed (https://bugzilla.redhat.com/):
2171870 - CVE-2023-0923 odh-notebook-controller-container: Missing authorization allows for file contents disclosure
- JIRA issues fixed (https://issues.jboss.org/):
RHODS-6123 - Update dsp repo to match upstream kfp-tekton repo RHODS-6136 - Verify status of manifests RHODS-6330 - Remove Openvino and Etcd images from quay for self-managed deployments RHODS-6779 - [Model Serving] fallback image for ovms is not published, leading to image pull errors in upgrade scenarios
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2022-12-13-8 watchOS 9.2
watchOS 9.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213536.
Accounts Available for: Apple Watch Series 4 and later Impact: A user may be able to view sensitive user information Description: This issue was addressed with improved data protection. CVE-2022-42843: Mickey Jin (@patch1t)
AppleAVD Available for: Apple Watch Series 4 and later Impact: Parsing a maliciously crafted video file may lead to kernel code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46694: Andrey Labunets and Nikita Tarakanov
AppleMobileFileIntegrity Available for: Apple Watch Series 4 and later Impact: An app may be able to bypass Privacy preferences Description: This issue was addressed by enabling hardened runtime. CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing
CoreServices Available for: Apple Watch Series 4 and later Impact: An app may be able to bypass Privacy preferences Description: Multiple issues were addressed by removing the vulnerable code. CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security
ImageIO Available for: Apple Watch Series 4 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46693: Mickey Jin (@patch1t)
IOHIDFamily Available for: Apple Watch Series 4 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved state handling. CVE-2022-42864: Tommy Muir (@Muirey03)
IOMobileFrameBuffer Available for: Apple Watch Series 4 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46690: John Aakerblom (@jaakerblom)
iTunes Store Available for: Apple Watch Series 4 and later Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation. CVE-2022-42837: an anonymous researcher
Kernel Available for: Apple Watch Series 4 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with additional validation. CVE-2022-46689: Ian Beer of Google Project Zero
Kernel Available for: Apple Watch Series 4 and later Impact: A remote user may be able to cause kernel code execution Description: The issue was addressed with improved memory handling. CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year Lab
Kernel Available for: Apple Watch Series 4 and later Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-42845: Adam Doupé of ASU SEFCOM
libxml2 Available for: Apple Watch Series 4 and later Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: An integer overflow was addressed through improved input validation. CVE-2022-40303: Maddie Stone of Google Project Zero
libxml2 Available for: Apple Watch Series 4 and later Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero
Safari Available for: Apple Watch Series 4 and later Impact: Visiting a website that frames malicious content may lead to UI spoofing Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. CVE-2022-46695: KirtiKumar Anandrao Ramchandani
Software Update Available for: Apple Watch Series 4 and later Impact: A user may be able to elevate privileges Description: An access issue existed with privileged API calls. This issue was addressed with additional restrictions. CVE-2022-42849: Mickey Jin (@patch1t)
Weather Available for: Apple Watch Series 4 and later Impact: An app may be able to read sensitive location information Description: The issue was addressed with improved handling of caches. CVE-2022-42866: an anonymous researcher
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. WebKit Bugzilla: 245521 CVE-2022-42867: Maddie Stone of Google Project Zero
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory consumption issue was addressed with improved memory handling. WebKit Bugzilla: 245466 CVE-2022-46691: an anonymous researcher
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may bypass Same Origin Policy Description: A logic issue was addressed with improved state management. WebKit Bugzilla: 246783 CVE-2022-46692: KirtiKumar Anandrao Ramchandani
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: The issue was addressed with improved memory handling. CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved input validation. WebKit Bugzilla: 246942 CVE-2022-46696: Samuel Groß of Google V8 Security WebKit Bugzilla: 247562 CVE-2022-46700: Samuel Groß of Google V8 Security
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A logic issue was addressed with improved checks. CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. WebKit Bugzilla: 247420 CVE-2022-46699: Samuel Groß of Google V8 Security WebKit Bugzilla: 244622 CVE-2022-42863: an anonymous researcher
Additional recognition
Kernel We would like to acknowledge Zweig of Kunlun Lab for their assistance.
Safari Extensions We would like to acknowledge Oliver Dunk and Christian R. of 1Password for their assistance.
WebKit We would like to acknowledge an anonymous researcher and scarlet for their assistance.
Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX4ACgkQ4RjMIDke NxlyKA//eeU/txeqNxHM7JQE6xFrlla1tinQYMjbLhMgzdTbKpPjX8aHVqFfLB/Q 5nH+NqrGs4HQwNQJ6fSiBIId0th71mgX7W3Noa1apzFh7Okl6IehczkAFB9OH7ve vnwiEECGU0hUNmbIi0s9HuuBo6eSNPFsJt0Jqn8ovV+F9bc+ftl/IRv6q2vg3rl3 DNag62BCmCN4uXmqoJ4CKg7cNbddvma0bDbB1yYujxdmFwm4JGN6aittXE3WtPK2 GH2/UxdZll8FR7Zegh1ziUcTaLR4dwHlXRFgc6WC8hqx6T8imNh1heAPwzhT+Iag piObDoMs7UYFKF/eQ8LUcl4hX8IOdLFO5I+BcvCzOcKqHutPqbE8QRU9yqjcQlsJ sOV7GT9W9J+QhibpIJbLVkkQp5djPZ8mLP0OKiRN1quEDWMrquPdM+r9ftJwEIki PLL/ur9c7geXCJCLzglMSMkNcoGZk77qzfJuPdoE0lD6zjdvBHalF5j8S0a1+9gi ex3zU1I+ixqg7CvLNfkSjLcO9KOoPEFHnqEFrrO17QWWyraugrPgV0dMYArGRBpA FofYP6bXLv8eSUNuyOoQxF6kS4ChYgLUabl2NYqop9LoRWAtDAclTiabuvDJPfqA W09wxdhbpp2saxt8LlQjffzOmHJST6oHhHZiFiFswRM0q0nue6I= =DltD -----END PGP SIGNATURE-----
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "h410c",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "tvos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "16.2"
},
{
"_id": null,
"model": "h500s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "clustered data ontap antivirus connector",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "clustered data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "macos",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "11.0"
},
{
"_id": null,
"model": "smi-s provider",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "macos",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "12.0"
},
{
"_id": null,
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "15.7.2"
},
{
"_id": null,
"model": "h300s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "h410s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "ipados",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "15.7.2"
},
{
"_id": null,
"model": "libxml2",
"scope": "lt",
"trust": 1.0,
"vendor": "xmlsoft",
"version": "2.10.3"
},
{
"_id": null,
"model": "macos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "11.7.2"
},
{
"_id": null,
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "9.2"
},
{
"_id": null,
"model": "manageability software development kit",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "active iq unified manager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "h700s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "snapmanager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "macos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.6.2"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-40304"
}
]
},
"credits": {
"_id": null,
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "171310"
},
{
"db": "PACKETSTORM",
"id": "170753"
},
{
"db": "PACKETSTORM",
"id": "170752"
},
{
"db": "PACKETSTORM",
"id": "170668"
},
{
"db": "PACKETSTORM",
"id": "170754"
},
{
"db": "PACKETSTORM",
"id": "171173"
}
],
"trust": 0.6
},
"cve": "CVE-2022-40304",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2022-40304",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-40304",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"id": "CVE-2022-40304",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202210-1022",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-1022"
},
{
"db": "NVD",
"id": "CVE-2022-40304"
},
{
"db": "NVD",
"id": "CVE-2022-40304"
}
]
},
"description": {
"_id": null,
"data": "An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. It is written in C language and can be called by many languages, such as C language, C++, XSH. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. Summary:\n\nOpenShift API for Data Protection (OADP) 1.1.2 is now available. Description:\n\nOpenShift API for Data Protection (OADP) enables you to back up and restore\napplication resources, persistent volume data, and internal container\nimages to external backup storage. OADP enables both file system-based and\nsnapshot-based backups for persistent volumes. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/):\n\n2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers\n2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters\n2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps\n2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nOADP-1056 - DPA fails validation if multiple BSLs have the same provider\nOADP-1150 - Handle docker env config changes in the oadp-operator\nOADP-1217 - update velero + restic to 1.9.5\nOADP-1256 - Backup stays in progress status after restic pod is restarted due to OOM killed\nOADP-1289 - Restore partially fails with error \"Secrets \\\"deployer-token-rrjqx\\\" not found\"\nOADP-290 - Remove creation/usage of velero-privileged SCC\n\n6. Description:\n\nRed Hat Openshift GitOps is a declarative way to implement continuous\ndeployment for cloud native applications. Bugs fixed (https://bugzilla.redhat.com/):\n\n2160492 - CVE-2023-22482 ArgoCD: JWT audience claim is not verified\n2162517 - CVE-2023-22736 argocd: Controller reconciles apps outside configured namespaces when sharding is enabled\n\n5. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: libxml2 security update\nAdvisory ID: RHSA-2023:0338-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2023:0338\nIssue date: 2023-01-23\nCVE Names: CVE-2022-40303 CVE-2022-40304\n====================================================================\n1. Summary:\n\nAn update for libxml2 is now available for Red Hat Enterprise Linux 9. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64\n\n3. Description:\n\nThe libxml2 library is a development toolbox providing the implementation\nof various XML standards. \n\nSecurity Fix(es):\n\n* libxml2: integer overflows with XML_PARSE_HUGE (CVE-2022-40303)\n\n* libxml2: dict corruption caused by entity reference cycles\n(CVE-2022-40304)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe desktop must be restarted (log out, then log back in) for this update\nto take effect. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2136266 - CVE-2022-40303 libxml2: integer overflows with XML_PARSE_HUGE\n2136288 - CVE-2022-40304 libxml2: dict corruption caused by entity reference cycles\n\n6. Package List:\n\nRed Hat Enterprise Linux AppStream (v. 9):\n\naarch64:\nlibxml2-debuginfo-2.9.13-3.el9_1.aarch64.rpm\nlibxml2-debugsource-2.9.13-3.el9_1.aarch64.rpm\nlibxml2-devel-2.9.13-3.el9_1.aarch64.rpm\npython3-libxml2-debuginfo-2.9.13-3.el9_1.aarch64.rpm\n\nppc64le:\nlibxml2-debuginfo-2.9.13-3.el9_1.ppc64le.rpm\nlibxml2-debugsource-2.9.13-3.el9_1.ppc64le.rpm\nlibxml2-devel-2.9.13-3.el9_1.ppc64le.rpm\npython3-libxml2-debuginfo-2.9.13-3.el9_1.ppc64le.rpm\n\ns390x:\nlibxml2-debuginfo-2.9.13-3.el9_1.s390x.rpm\nlibxml2-debugsource-2.9.13-3.el9_1.s390x.rpm\nlibxml2-devel-2.9.13-3.el9_1.s390x.rpm\npython3-libxml2-debuginfo-2.9.13-3.el9_1.s390x.rpm\n\nx86_64:\nlibxml2-debuginfo-2.9.13-3.el9_1.i686.rpm\nlibxml2-debuginfo-2.9.13-3.el9_1.x86_64.rpm\nlibxml2-debugsource-2.9.13-3.el9_1.i686.rpm\nlibxml2-debugsource-2.9.13-3.el9_1.x86_64.rpm\nlibxml2-devel-2.9.13-3.el9_1.i686.rpm\nlibxml2-devel-2.9.13-3.el9_1.x86_64.rpm\npython3-libxml2-debuginfo-2.9.13-3.el9_1.i686.rpm\npython3-libxml2-debuginfo-2.9.13-3.el9_1.x86_64.rpm\n\nRed Hat Enterprise Linux BaseOS (v. 9):\n\nSource:\nlibxml2-2.9.13-3.el9_1.src.rpm\n\naarch64:\nlibxml2-2.9.13-3.el9_1.aarch64.rpm\nlibxml2-debuginfo-2.9.13-3.el9_1.aarch64.rpm\nlibxml2-debugsource-2.9.13-3.el9_1.aarch64.rpm\npython3-libxml2-2.9.13-3.el9_1.aarch64.rpm\npython3-libxml2-debuginfo-2.9.13-3.el9_1.aarch64.rpm\n\nppc64le:\nlibxml2-2.9.13-3.el9_1.ppc64le.rpm\nlibxml2-debuginfo-2.9.13-3.el9_1.ppc64le.rpm\nlibxml2-debugsource-2.9.13-3.el9_1.ppc64le.rpm\npython3-libxml2-2.9.13-3.el9_1.ppc64le.rpm\npython3-libxml2-debuginfo-2.9.13-3.el9_1.ppc64le.rpm\n\ns390x:\nlibxml2-2.9.13-3.el9_1.s390x.rpm\nlibxml2-debuginfo-2.9.13-3.el9_1.s390x.rpm\nlibxml2-debugsource-2.9.13-3.el9_1.s390x.rpm\npython3-libxml2-2.9.13-3.el9_1.s390x.rpm\npython3-libxml2-debuginfo-2.9.13-3.el9_1.s390x.rpm\n\nx86_64:\nlibxml2-2.9.13-3.el9_1.i686.rpm\nlibxml2-2.9.13-3.el9_1.x86_64.rpm\nlibxml2-debuginfo-2.9.13-3.el9_1.i686.rpm\nlibxml2-debuginfo-2.9.13-3.el9_1.x86_64.rpm\nlibxml2-debugsource-2.9.13-3.el9_1.i686.rpm\nlibxml2-debugsource-2.9.13-3.el9_1.x86_64.rpm\npython3-libxml2-2.9.13-3.el9_1.x86_64.rpm\npython3-libxml2-debuginfo-2.9.13-3.el9_1.i686.rpm\npython3-libxml2-debuginfo-2.9.13-3.el9_1.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2022-40303\nhttps://access.redhat.com/security/cve/CVE-2022-40304\nhttps://access.redhat.com/security/updates/classification/#moderate\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2023 Red Hat, Inc. Bugs fixed (https://bugzilla.redhat.com/):\n\n2171870 - CVE-2023-0923 odh-notebook-controller-container: Missing authorization allows for file contents disclosure\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nRHODS-6123 - Update dsp repo to match upstream kfp-tekton repo\nRHODS-6136 - Verify status of manifests\nRHODS-6330 - Remove Openvino and Etcd images from quay for self-managed deployments\nRHODS-6779 - [Model Serving] fallback image for ovms is not published, leading to image pull errors in upgrade scenarios\n\n6. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2022-12-13-8 watchOS 9.2\n\nwatchOS 9.2 addresses the following issues. \nInformation about the security content is also available at\nhttps://support.apple.com/HT213536. \n\nAccounts\nAvailable for: Apple Watch Series 4 and later\nImpact: A user may be able to view sensitive user information\nDescription: This issue was addressed with improved data protection. \nCVE-2022-42843: Mickey Jin (@patch1t)\n\nAppleAVD\nAvailable for: Apple Watch Series 4 and later\nImpact: Parsing a maliciously crafted video file may lead to kernel\ncode execution\nDescription: An out-of-bounds write issue was addressed with improved\ninput validation. \nCVE-2022-46694: Andrey Labunets and Nikita Tarakanov\n\nAppleMobileFileIntegrity\nAvailable for: Apple Watch Series 4 and later\nImpact: An app may be able to bypass Privacy preferences\nDescription: This issue was addressed by enabling hardened runtime. \nCVE-2022-42865: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\nCoreServices\nAvailable for: Apple Watch Series 4 and later\nImpact: An app may be able to bypass Privacy preferences\nDescription: Multiple issues were addressed by removing the\nvulnerable code. \nCVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of\nOffensive Security\n\nImageIO\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing a maliciously crafted file may lead to arbitrary\ncode execution\nDescription: An out-of-bounds write issue was addressed with improved\ninput validation. \nCVE-2022-46693: Mickey Jin (@patch1t)\n\nIOHIDFamily\nAvailable for: Apple Watch Series 4 and later\nImpact: An app may be able to execute arbitrary code with kernel\nprivileges\nDescription: A race condition was addressed with improved state\nhandling. \nCVE-2022-42864: Tommy Muir (@Muirey03)\n\nIOMobileFrameBuffer\nAvailable for: Apple Watch Series 4 and later\nImpact: An app may be able to execute arbitrary code with kernel\nprivileges\nDescription: An out-of-bounds write issue was addressed with improved\ninput validation. \nCVE-2022-46690: John Aakerblom (@jaakerblom)\n\niTunes Store\nAvailable for: Apple Watch Series 4 and later\nImpact: A remote user may be able to cause unexpected app termination\nor arbitrary code execution\nDescription: An issue existed in the parsing of URLs. This issue was\naddressed with improved input validation. \nCVE-2022-42837: an anonymous researcher\n\nKernel\nAvailable for: Apple Watch Series 4 and later\nImpact: An app may be able to execute arbitrary code with kernel\nprivileges\nDescription: A race condition was addressed with additional\nvalidation. \nCVE-2022-46689: Ian Beer of Google Project Zero\n\nKernel\nAvailable for: Apple Watch Series 4 and later\nImpact: A remote user may be able to cause kernel code execution\nDescription: The issue was addressed with improved memory handling. \nCVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year\nLab\n\nKernel\nAvailable for: Apple Watch Series 4 and later\nImpact: An app with root privileges may be able to execute arbitrary\ncode with kernel privileges\nDescription: The issue was addressed with improved memory handling. \nCVE-2022-42845: Adam Doup\u00e9 of ASU SEFCOM\n\nlibxml2\nAvailable for: Apple Watch Series 4 and later\nImpact: A remote user may be able to cause unexpected app termination\nor arbitrary code execution\nDescription: An integer overflow was addressed through improved input\nvalidation. \nCVE-2022-40303: Maddie Stone of Google Project Zero\n\nlibxml2\nAvailable for: Apple Watch Series 4 and later\nImpact: A remote user may be able to cause unexpected app termination\nor arbitrary code execution\nDescription: This issue was addressed with improved checks. \nCVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project\nZero\n\nSafari\nAvailable for: Apple Watch Series 4 and later\nImpact: Visiting a website that frames malicious content may lead to\nUI spoofing\nDescription: A spoofing issue existed in the handling of URLs. This\nissue was addressed with improved input validation. \nCVE-2022-46695: KirtiKumar Anandrao Ramchandani\n\nSoftware Update\nAvailable for: Apple Watch Series 4 and later\nImpact: A user may be able to elevate privileges\nDescription: An access issue existed with privileged API calls. This\nissue was addressed with additional restrictions. \nCVE-2022-42849: Mickey Jin (@patch1t)\n\nWeather\nAvailable for: Apple Watch Series 4 and later\nImpact: An app may be able to read sensitive location information\nDescription: The issue was addressed with improved handling of\ncaches. \nCVE-2022-42866: an anonymous researcher\n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A use after free issue was addressed with improved\nmemory management. \nWebKit Bugzilla: 245521\nCVE-2022-42867: Maddie Stone of Google Project Zero\n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A memory consumption issue was addressed with improved\nmemory handling. \nWebKit Bugzilla: 245466\nCVE-2022-46691: an anonymous researcher\n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may bypass Same\nOrigin Policy\nDescription: A logic issue was addressed with improved state\nmanagement. \nWebKit Bugzilla: 246783\nCVE-2022-46692: KirtiKumar Anandrao Ramchandani\n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may result in the\ndisclosure of process memory\nDescription: The issue was addressed with improved memory handling. \nCVE-2022-42852: hazbinhotel working with Trend Micro Zero Day\nInitiative\n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nWebKit Bugzilla: 246942\nCVE-2022-46696: Samuel Gro\u00df of Google V8 Security\nWebKit Bugzilla: 247562\nCVE-2022-46700: Samuel Gro\u00df of Google V8 Security\n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may disclose\nsensitive user information\nDescription: A logic issue was addressed with improved checks. \nCVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs\n\u0026 DNSLab, Korea Univ. \n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A memory corruption issue was addressed with improved\nstate management. \nWebKit Bugzilla: 247420\nCVE-2022-46699: Samuel Gro\u00df of Google V8 Security\nWebKit Bugzilla: 244622\nCVE-2022-42863: an anonymous researcher\n\nAdditional recognition\n\nKernel\nWe would like to acknowledge Zweig of Kunlun Lab for their\nassistance. \n\nSafari Extensions\nWe would like to acknowledge Oliver Dunk and Christian R. of\n1Password for their assistance. \n\nWebKit\nWe would like to acknowledge an anonymous researcher and scarlet for\ntheir assistance. \n\nInstructions on how to update your Apple Watch software are available\nat https://support.apple.com/kb/HT204641 To check the version on\nyour Apple Watch, open the Apple Watch app on your iPhone and select\n\"My Watch \u003e General \u003e About\". Alternatively, on your watch, select\n\"My Watch \u003e General \u003e About\". \nAll information is also posted on the Apple Security Updates\nweb site: https://support.apple.com/en-us/HT201222. \n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX4ACgkQ4RjMIDke\nNxlyKA//eeU/txeqNxHM7JQE6xFrlla1tinQYMjbLhMgzdTbKpPjX8aHVqFfLB/Q\n5nH+NqrGs4HQwNQJ6fSiBIId0th71mgX7W3Noa1apzFh7Okl6IehczkAFB9OH7ve\nvnwiEECGU0hUNmbIi0s9HuuBo6eSNPFsJt0Jqn8ovV+F9bc+ftl/IRv6q2vg3rl3\nDNag62BCmCN4uXmqoJ4CKg7cNbddvma0bDbB1yYujxdmFwm4JGN6aittXE3WtPK2\nGH2/UxdZll8FR7Zegh1ziUcTaLR4dwHlXRFgc6WC8hqx6T8imNh1heAPwzhT+Iag\npiObDoMs7UYFKF/eQ8LUcl4hX8IOdLFO5I+BcvCzOcKqHutPqbE8QRU9yqjcQlsJ\nsOV7GT9W9J+QhibpIJbLVkkQp5djPZ8mLP0OKiRN1quEDWMrquPdM+r9ftJwEIki\nPLL/ur9c7geXCJCLzglMSMkNcoGZk77qzfJuPdoE0lD6zjdvBHalF5j8S0a1+9gi\nex3zU1I+ixqg7CvLNfkSjLcO9KOoPEFHnqEFrrO17QWWyraugrPgV0dMYArGRBpA\nFofYP6bXLv8eSUNuyOoQxF6kS4ChYgLUabl2NYqop9LoRWAtDAclTiabuvDJPfqA\nW09wxdhbpp2saxt8LlQjffzOmHJST6oHhHZiFiFswRM0q0nue6I=\n=DltD\n-----END PGP SIGNATURE-----\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-40304"
},
{
"db": "VULHUB",
"id": "VHN-429438"
},
{
"db": "VULMON",
"id": "CVE-2022-40304"
},
{
"db": "PACKETSTORM",
"id": "171310"
},
{
"db": "PACKETSTORM",
"id": "170753"
},
{
"db": "PACKETSTORM",
"id": "170752"
},
{
"db": "PACKETSTORM",
"id": "170668"
},
{
"db": "PACKETSTORM",
"id": "170754"
},
{
"db": "PACKETSTORM",
"id": "169857"
},
{
"db": "PACKETSTORM",
"id": "171173"
},
{
"db": "PACKETSTORM",
"id": "170318"
}
],
"trust": 1.8
},
"exploit_availability": {
"_id": null,
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-429438",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-429438"
}
]
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2022-40304",
"trust": 2.6
},
{
"db": "PACKETSTORM",
"id": "169857",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "170318",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "170754",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "169824",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "170555",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "169620",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "170955",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "169732",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "170097",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-202210-1022",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2023.0246",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.3732",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.1467",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5286",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.3143",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.6321",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5792.2",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.0816",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.1501",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5614",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.1267",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.0513",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5455",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.1041",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.1398",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "170753",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "171173",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "170752",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "170317",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170316",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171016",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171043",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170899",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170096",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170312",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169858",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171042",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171017",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170315",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171040",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171260",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-429438",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2022-40304",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171310",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170668",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-429438"
},
{
"db": "VULMON",
"id": "CVE-2022-40304"
},
{
"db": "PACKETSTORM",
"id": "171310"
},
{
"db": "PACKETSTORM",
"id": "170753"
},
{
"db": "PACKETSTORM",
"id": "170752"
},
{
"db": "PACKETSTORM",
"id": "170668"
},
{
"db": "PACKETSTORM",
"id": "170754"
},
{
"db": "PACKETSTORM",
"id": "169857"
},
{
"db": "PACKETSTORM",
"id": "171173"
},
{
"db": "PACKETSTORM",
"id": "170318"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-1022"
},
{
"db": "NVD",
"id": "CVE-2022-40304"
}
]
},
"id": "VAR-202210-1070",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-429438"
}
],
"trust": 0.01
},
"last_update_date": "2026-04-10T23:25:26.950000Z",
"patch": {
"_id": null,
"data": [
{
"title": "libxml2 Fixes for code issue vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=215772"
},
{
"title": "Debian CVElist Bug Report Logs: libxml2: CVE-2022-40304: dict corruption caused by entity reference cycles",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=8363a596e2a5d2dc61357b1dbd72b616"
},
{
"title": "Red Hat: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2022-40304"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-40304"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-1022"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-415",
"trust": 1.0
},
{
"problemtype": "CWE-611",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-429438"
},
{
"db": "NVD",
"id": "CVE-2022-40304"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 1.7,
"url": "https://security.netapp.com/advisory/ntap-20221209-0003/"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht213531"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht213533"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht213534"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht213535"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht213536"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2022/dec/21"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2022/dec/24"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2022/dec/25"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2022/dec/26"
},
{
"trust": 1.7,
"url": "https://gitlab.gnome.org/gnome/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b"
},
{
"trust": 1.7,
"url": "https://gitlab.gnome.org/gnome/libxml2/-/tags"
},
{
"trust": 1.7,
"url": "https://gitlab.gnome.org/gnome/libxml2/-/tags/v2.10.3"
},
{
"trust": 1.1,
"url": "http://seclists.org/fulldisclosure/2022/dec/27"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2022-40304"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-40304"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-40303"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.6,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2022-40303"
},
{
"trust": 0.6,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.1041"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.3143"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/170555/red-hat-security-advisory-2023-0173-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.1267"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.1467"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/170318/apple-security-advisory-2022-12-13-8.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.1501"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht213505"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5286"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/170955/red-hat-security-advisory-2023-0634-01.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169857/apple-security-advisory-2022-11-09-1.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/170754/red-hat-security-advisory-2023-0468-01.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/170097/ubuntu-security-notice-usn-5760-2.html"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht213534"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.3732"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.0246"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-40304/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169732/debian-security-advisory-5271-1.html"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/libxml2-three-vulnerabilities-39554"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169824/libxml2-attribute-parsing-double-free.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.1398"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.0816"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169620/gentoo-linux-security-advisory-202210-39.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.6321"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.0513"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5792.2"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5455"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5614"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2022-43680"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2022-42011"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2022-35737"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2021-46848"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-46848"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2022-42010"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2022-42012"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-43680"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42012"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2023-22482"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-22482"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-35737"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42010"
},
{
"trust": 0.3,
"url": "https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42011"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-4415"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-47629"
},
{
"trust": 0.2,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-3821"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-3821"
},
{
"trust": 0.2,
"url": "https://www.apple.com/support/security/pgp/"
},
{
"trust": 0.2,
"url": "https://support.apple.com/en-us/ht201222."
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022225"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-46285"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-25308"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2953"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-48303"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22662"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2879"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2880"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1304"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2869"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-27404"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2058"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22624"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-25310"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-42898"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22628"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-25309"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:1174"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26710"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2057"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1304"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26700"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-4883"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26719"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-44617"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2058"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-41717"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2521"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26709"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26717"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2519"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26716"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22629"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2056"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2521"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2520"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-27405"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-41715"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22629"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-27406"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2056"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2868"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1122"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2520"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22628"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1122"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22662"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22624"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2867"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30293"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2519"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2057"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-25308"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:0466"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:0467"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-22736"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-22736"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:0338"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:0468"
},
{
"trust": 0.1,
"url": "https://support.apple.com/ht213505."
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-23521"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-0923"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-41903"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-47629"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0923"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23521"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41903"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-4415"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:0977"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42867"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42849"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42842"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42866"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42845"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42865"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42863"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42864"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42843"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42852"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht204641"
},
{
"trust": 0.1,
"url": "https://support.apple.com/ht213536."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42837"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42859"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-429438"
},
{
"db": "VULMON",
"id": "CVE-2022-40304"
},
{
"db": "PACKETSTORM",
"id": "171310"
},
{
"db": "PACKETSTORM",
"id": "170753"
},
{
"db": "PACKETSTORM",
"id": "170752"
},
{
"db": "PACKETSTORM",
"id": "170668"
},
{
"db": "PACKETSTORM",
"id": "170754"
},
{
"db": "PACKETSTORM",
"id": "169857"
},
{
"db": "PACKETSTORM",
"id": "171173"
},
{
"db": "PACKETSTORM",
"id": "170318"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-1022"
},
{
"db": "NVD",
"id": "CVE-2022-40304"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "VULHUB",
"id": "VHN-429438",
"ident": null
},
{
"db": "VULMON",
"id": "CVE-2022-40304",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "171310",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "170753",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "170752",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "170668",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "170754",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "169857",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "171173",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "170318",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-202210-1022",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2022-40304",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2022-11-23T00:00:00",
"db": "VULHUB",
"id": "VHN-429438",
"ident": null
},
{
"date": "2023-03-09T15:14:10",
"db": "PACKETSTORM",
"id": "171310",
"ident": null
},
{
"date": "2023-01-26T15:34:56",
"db": "PACKETSTORM",
"id": "170753",
"ident": null
},
{
"date": "2023-01-26T15:34:49",
"db": "PACKETSTORM",
"id": "170752",
"ident": null
},
{
"date": "2023-01-24T16:30:22",
"db": "PACKETSTORM",
"id": "170668",
"ident": null
},
{
"date": "2023-01-26T15:35:03",
"db": "PACKETSTORM",
"id": "170754",
"ident": null
},
{
"date": "2022-11-15T16:42:23",
"db": "PACKETSTORM",
"id": "169857",
"ident": null
},
{
"date": "2023-02-28T17:09:39",
"db": "PACKETSTORM",
"id": "171173",
"ident": null
},
{
"date": "2022-12-22T02:13:22",
"db": "PACKETSTORM",
"id": "170318",
"ident": null
},
{
"date": "2022-10-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202210-1022",
"ident": null
},
{
"date": "2022-11-23T18:15:12.167000",
"db": "NVD",
"id": "CVE-2022-40304",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2023-02-23T00:00:00",
"db": "VULHUB",
"id": "VHN-429438",
"ident": null
},
{
"date": "2023-06-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202210-1022",
"ident": null
},
{
"date": "2025-04-28T20:15:19.607000",
"db": "NVD",
"id": "CVE-2022-40304",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-1022"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "libxml2 Code problem vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-1022"
}
],
"trust": 0.6
},
"type": {
"_id": null,
"data": "code problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-1022"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.