FILE-OTHER -- Snort detected traffic targeting vulnerabilities in a file type that does not require enough rule coverage to have its own category.
FILE-OTHER libexpat internal entity heap over-read attempt
This event is generated when an attempt to cause a heap over-read is performed against Expat application or application utilizing the libexpat library.
Remote Code Execution
Libexpat is vulnerable to a heap over-read caused by a malicious XML DTD entity. The malicious entity attempts to trick the parser into thinking the entity was closed so when the application tries to parse the contents as if it was part of the XML document body it is actually performing a heap over-read.
Ease of Attack:
What To Look For
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information
CVE-2019-15903In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
||Ease of Access||LOW