Search for vulnerabilities
Vulnerability details: VCID-8dyd-depr-aaam
Vulnerability ID VCID-8dyd-depr-aaam
Aliases CVE-2009-3560
Summary The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.
Status Published
Exploitability 0.5
Weighted Severity 7.1
Risk 3.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
System Score Found at
generic_textual HIGH http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
cvssv3.1 6.1 http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
generic_textual MODERATE http://marc.info/?l=bugtraq&m=130168502603566&w=2
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-3560.html
rhas Moderate https://access.redhat.com/errata/RHSA-2009:1625
rhas Moderate https://access.redhat.com/errata/RHSA-2011:0896
epss 0.0101 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.0101 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.0101 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01073 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01146 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01146 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01146 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01146 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01146 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01146 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01146 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01146 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01146 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01146 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01175 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01175 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01175 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01175 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01175 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.01175 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.0215 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03877 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04023 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04023 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04023 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.04481 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
generic_textual MODERATE http://secunia.com/advisories/38231
generic_textual MODERATE http://secunia.com/advisories/43300
apache_httpd low https://httpd.apache.org/security/json/CVE-2009-3560.json
generic_textual MODERATE http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2009-3560
generic_textual Low https://ubuntu.com/security/notices/USN-890-1
generic_textual Low https://ubuntu.com/security/notices/USN-890-2
generic_textual Low https://ubuntu.com/security/notices/USN-890-3
generic_textual Low https://ubuntu.com/security/notices/USN-890-4
generic_textual Low https://ubuntu.com/security/notices/USN-890-5
generic_textual Low https://ubuntu.com/security/notices/USN-890-6
generic_textual Low https://usn.ubuntu.com/usn/usn-890-1
generic_textual Low https://usn.ubuntu.com/usn/usn-890-2
generic_textual Low https://usn.ubuntu.com/usn/usn-890-3
generic_textual Low https://usn.ubuntu.com/usn/usn-890-4
generic_textual Low https://usn.ubuntu.com/usn/usn-890-5
generic_textual Low https://usn.ubuntu.com/usn/usn-890-6
generic_textual MODERATE http://www.ubuntu.com/usn/USN-890-1
generic_textual MODERATE http://www.vupen.com/english/advisories/2010/1107
generic_textual MODERATE http://www.vupen.com/english/advisories/2011/0359
Reference id Reference type URL
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.165
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
http://lists.vmware.com/pipermail/security-announce/2010/000082.html
http://mail.python.org/pipermail/expat-bugs/2009-November/002846.html
http://marc.info/?l=bugtraq&m=130168502603566&w=2
http://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-3560.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3560.json
https://api.first.org/data/v1/epss?cve=CVE-2009-3560
https://bugzilla.redhat.com/show_bug.cgi?id=533174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://secunia.com/advisories/37537
http://secunia.com/advisories/38231
http://secunia.com/advisories/38794
http://secunia.com/advisories/38832
http://secunia.com/advisories/38834
http://secunia.com/advisories/39478
http://secunia.com/advisories/41701
http://secunia.com/advisories/43300
http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026
https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rad2acee3ab838b52c04a0698b1728a9a43467bf365bd481c993c535d@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rad2acee3ab838b52c04a0698b1728a9a43467bf365bd481c993c535d%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10613
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12942
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6883
https://ubuntu.com/security/notices/USN-890-1
https://ubuntu.com/security/notices/USN-890-2
https://ubuntu.com/security/notices/USN-890-3
https://ubuntu.com/security/notices/USN-890-4
https://ubuntu.com/security/notices/USN-890-5
https://ubuntu.com/security/notices/USN-890-6
http://sunsolve.sun.com/search/document.do?assetkey=1-66-273630-1
https://usn.ubuntu.com/usn/usn-890-1
https://usn.ubuntu.com/usn/usn-890-2
https://usn.ubuntu.com/usn/usn-890-3
https://usn.ubuntu.com/usn/usn-890-4
https://usn.ubuntu.com/usn/usn-890-5
https://usn.ubuntu.com/usn/usn-890-6
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00370.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00394.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00413.html
http://www.debian.org/security/2009/dsa-1953
http://www.mandriva.com/security/advisories?name=MDVSA-2009:316
http://www.redhat.com/support/errata/RHSA-2011-0896.html
http://www.securityfocus.com/bid/37203
http://www.securitytracker.com/id?1023278
http://www.ubuntu.com/usn/USN-890-1
http://www.ubuntu.com/usn/USN-890-6
http://www.vupen.com/english/advisories/2010/0528
http://www.vupen.com/english/advisories/2010/0896
http://www.vupen.com/english/advisories/2010/1107
http://www.vupen.com/english/advisories/2011/0359
560901 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560901
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
CVE-2009-3560 https://httpd.apache.org/security/json/CVE-2009-3560.json
CVE-2009-3560 https://nvd.nist.gov/vuln/detail/CVE-2009-3560
GLSA-201209-06 https://security.gentoo.org/glsa/201209-06
RHSA-2009:1625 https://access.redhat.com/errata/RHSA-2009:1625
RHSA-2011:0896 https://access.redhat.com/errata/RHSA-2011:0896
USN-890-1 https://usn.ubuntu.com/890-1/
USN-890-2 https://usn.ubuntu.com/890-2/
USN-890-3 https://usn.ubuntu.com/890-3/
USN-890-4 https://usn.ubuntu.com/890-4/
USN-890-5 https://usn.ubuntu.com/890-5/
USN-890-6 https://usn.ubuntu.com/890-6/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2009-3560
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.75201
EPSS Score 0.0101
Published At April 13, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.