Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2024002

Product

CVSS Score

Original Date

Last Revised

Supervyse

5.5~8.1

2024-05-13

Summary

Upgrade libexpat to 2.6.2

Vulnerability Details

CVSS Vector: See in description.

Upgrade libexpat to version 2.6.2 which addressed following vulnerabilities.

  1. CVE-2022-40674:
    CVSS: 8.1
    CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    Use after free in doContent can lead to denial of service or arbitrary code execution
  2. CVE-2022-43680:
    CVSS: 7.5
    CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    Use after free can lead to denial of service or arbitrary code execution
  3. CVE-2023-52425:
    CVSS: 7.5
    CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    Big tokens in compressed XML input can lead to denial of service
  4. CVE-2023-52462:
    CVSS: 5.5
    CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Recursive expansion of XML documents can lead to exhaustion of resourses and denial of service
  5. CVE-2024-28757
    CVSS: N/A
    CVSS Vector String: N/A
    Billion laughs issues with external parsers

Solution Information

OPF:RV24.04.2 and after.

Acknowledgements

Revision History

Revision #

Date

Description

1

2024-05-13

Initial Release