CVE-2014-3660: Uncontrolled Resource Consumption

November 4, 2014 (updated December 8, 2016)

parser.c in libxml2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the “billion laughs” attack.

References

nvd.nist.gov/vuln/detail/CVE-2014-3660

Code Behaviors & Features

Detect and mitigate CVE-2014-3660 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →