Bug 1212092 (CVE-2023-34104)

Summary: VUL-0: CVE-2023-34104: velociraptor: fast-xml-parser: unescaped special characters in entity name
Product: [Novell Products] SUSE Security Incidents Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: IncidentsAssignee: Jeff Mahoney <jeffm>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/368595/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gabriele Sonnu 2023-06-07 09:09:33 UTC 
CVE-2023-34104

fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser
allows special characters in entity names, which are not escaped or sanitized.
Since the entity name is used for creating a regex for searching and replacing
entities in the XML body, an attacker can abuse it for denial of service (DoS)
attacks. By crafting an entity name that results in an intentionally bad
performing regex and utilizing it in the entity replacement step of the parser,
this can cause the parser to stall for an indefinite amount of time. This
problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable
to upgrade should avoid using DOCTYPE parsing by setting the `processEntities:
false` option.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34104
https://www.cve.org/CVERecord?id=CVE-2023-34104
https://github.com/NaturalIntelligence/fast-xml-parser/commit/39b0e050bb909e8499478657f84a3076e39ce76c
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-6w63-h3fj-q4vw
Comment 1 Gabriele Sonnu 2023-06-07 09:12:43 UTC 
openSUSE:Factory/velociraptor embeds fast-xml-parser v3.21.1, which is vulnerable according to the advisory [0].

[0] https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-6w63-h3fj-q4vw