Skip to content

CVE-2015-8710 #360

New issue
New issue
Closed
Closed
CVE-2015-8710#360
Labels
devguardDevGuardseverity:mediumSeverity of the dependencyVulnstate:open
@devguard-bot-dev

Description

@devguard-bot-dev
devguard-bot-dev
bot
opened on Mar 28, 2025

CVE-2015-8710

The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.

Affected component

The vulnerability is in pkg:deb/debian/[email protected]+dfsg-1.3~deb12u1, detected by the github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning scan.

Recommended fix

Upgrade to version 2.9.2+really2.9.1+dfsg1-0.1 or later.

Risk: 1.58 (Low)

EPSS: 2.44 %

The exploit probability is very low. The vulnerability is unlikely to be exploited in the next 30 days.

Exploit: Proof of Concept

A proof of concept is available for this vulnerability:
https://github.com/Karm/CVE-2015-8710

Vulnerability Depth: 3

The vulnerability is in a dependency of a dependency your project. It is 3 levels deep.

CVSS-BE: 9.8

  • Exploiting this vulnerability significantly impacts availability.
  • Exploiting this vulnerability significantly impacts integrity.
  • Exploiting this vulnerability significantly impacts confidentiality.

CVSS-B: 9.8

  • The vulnerability can be exploited over the network without needing physical access.
  • It is easy for an attacker to exploit this vulnerability.
  • An attacker does not need any special privileges or access rights.
  • No user interaction is needed for the attacker to exploit this vulnerability.
  • The impact is confined to the system where the vulnerability exists.
  • There is a high impact on the confidentiality of the information.
  • There is a high impact on the integrity of the data.
  • There is a high impact on the availability of the system.

More details can be found in DevGuard

Slash Commands

You can use the following slash commands to interact with this vulnerability:

  • /accept <Justification> or /a <Justification> - Accept the risk
  • /false-positive <Justification> or /fp <Justification> - Mark the risk as false positive
  • /reopen <Justification> or /r <Justification> - Reopen the risk

Risk exceeds predefined threshold

Metadata

Metadata

Assignees

No one assigned

    Labels

    devguardDevGuardseverity:mediumSeverity of the dependencyVulnstate:open

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions