- Description
- HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation. The read may disclose adjacent heap contents into the destination SV.
- Source
- 9b29abf9-4ab0-4765-b253-1875cd9b441e
- NVD status
- Analyzed
- Products
- html\
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
- 9b29abf9-4ab0-4765-b253-1875cd9b441e
- CWE-416
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oalders:html\\:\\:entities:*:*:*:*:*:perl:*:*",
"matchCriteriaId": "0DB42006-30BD-4085-8C4B-F9D75404315C",
"versionEndExcluding": "3.84",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]