Home > Vulnerability Database > CVE-2024-23807

Mend.io Vulnerability Database

CVE-2024-23807

Good to know:

Date: February 28, 2024

The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable. This issue has been disclosed before as CVE-2018-1311, but unfortunately that advisory incorrectly stated the issue would be fixed in version 3.2.3 or 3.2.4.

Severity Score

9.8

Related Resources (4)

Url: https://github.com/apache/xerces-c/pull/54

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-23807

Url: https://lists.apache.org/thread/c497tgn864tsbm8w0bo3f0d81s07zk9r

Url: https://www.mend.io/vulnerability-database/CVE-2024-23807

Severity Score

9.8

Weakness Type (CWE)

Use After Free

CWE-416

Top Fix

Upgrade Version

Upgrade to version xerces-c-static - no_fix;DucoEngine - 2025.3.1;xerces-c - 3.2.5

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-23807

Good to know:

Date: February 28, 2024

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?