.. _expat-billion-laughs: CVE-2013-0340 Billion Laughs fixed in Expat 2.4.0 ================================================= .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the `Open Source Vulnerability Database `_. On Windows and macOS, Python uses a vendored copy of libexpat which is vulnerable to the XML "Billion Laughs" expansion denial of service attack. Updating libexpat copy in Python to libexpat 2.4.0 or newer fix the vulnerability. Dates: * Disclosure date: **2021-06-11** (Python issue bpo-44394 reported) Fixed In -------- * Python **3.6.15** (2021-09-04) fixed by `commit 910886a (branch 3.6) `_ (2021-08-31) * Python **3.7.12** (2021-09-04) fixed by `commit 79101b8 (branch 3.7) `_ (2021-08-31) * Python **3.8.12** (2021-08-30) fixed by `commit c9c2a0b (branch 3.8) `_ (2021-08-29) * Python **3.9.7** (2021-08-30) fixed by `commit 007221a (branch 3.9) `_ (2021-08-29) * Python **3.10.0** (2021-10-04) fixed by `commit 2706785 (branch 3.10) `_ (2021-08-29) Python issue ------------ [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1. * Python issue: `bpo-44394 `_ * Creation date: 2021-06-11 * Reporter: STINNER Victor CVE-2013-0340 ------------- expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE. * CVE ID: `CVE-2013-0340 `_ * Published: 2014-01-21 * `CVSS Score `_: 6.8 Timeline -------- Timeline using the disclosure date **2021-06-11** as reference: * 2014-01-21 (**-2698 days**): CVE-2013-0340 published * 2021-06-11: `Python issue bpo-44394 `_ reported by STINNER Victor * 2021-08-29 (**+79 days**): `commit 007221a (branch 3.9) `_ * 2021-08-29 (**+79 days**): `commit 2706785 (branch 3.10) `_ * 2021-08-29 (**+79 days**): `commit c9c2a0b (branch 3.8) `_ * 2021-08-30 (**+80 days**): Python 3.8.12 released * 2021-08-30 (**+80 days**): Python 3.9.7 released * 2021-08-31 (**+81 days**): `commit 79101b8 (branch 3.7) `_ * 2021-08-31 (**+81 days**): `commit 910886a (branch 3.6) `_ * 2021-09-04 (**+85 days**): Python 3.6.15 released * 2021-09-04 (**+85 days**): Python 3.7.12 released * 2021-10-04: Python 3.10.0 released Links ----- * https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/