You are viewing a plain text version of this content. The canonical link for it is here.

Posted to c-dev@xerces.apache.org by "Lakka, Matina (Nokia - GR/Athens)" <ma...@nokia.com> on 2016/03/16 13:19:35 UTC

Xerces C++ vulnerabilities CVE-2015-0252 and CVE-2016-0729

Hi all,

I would like to ask a question regarding "CVE-2015-0252 and CVE-2016-0729" vulnerabilities.

We are using xerces c++ 2.8.0 and therefore we are affected from both "Buffer Overflow Vulnerability - CVE-2016-0729" and "Denial of Service Vulnerability - CVE-2015-0252".
In the description provided it is mentioned that these vulnerabilities can be exploited by an  unauthenticated attacker.

Our software uses XML parsing and login is required so as to proceed with XML parsing. The question is whether the login procedure reduces  the vulnerability criticality, regarding authentication metric (cvss score). Is this attacker still considered as unauthenticated in our case?

Thank you in advance for your prompt reply.

Best,
Matina

Matina Lakka
FN Services PV R&D 22
NOKIA
Promitheos Str. 12, 145 64 Nea Kifissia
Athens - Greece
mail to: matina.lakka@nsn.com