{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-49043", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-11-03T20:35:14.313Z", "dateReserved": "2025-01-26T00:00:00.000Z", "datePublished": "2025-01-26T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "libxml2", "vendor": "xmlsoft", "versions": [{"lessThan": "2.11.0", "status": "affected", "version": "2.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-01-26T05:28:37.041Z"}, "references": [{"url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b"}, {"url": "https://github.com/php/php-src/issues/17467"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.11.0"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-27T14:52:22.888573Z", "id": "CVE-2022-49043", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-27T14:53:01.116Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T20:35:14.313Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T20:35:14.313Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-49043", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-27T14:52:22.888573Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-27T14:52:57.061Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "xmlsoft", "product": "libxml2", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.11.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b"}, {"url": "https://github.com/php/php-src/issues/17467"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.11.0", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-01-26T05:28:37.041Z"}}}, "cveMetadata": {"cveId": "CVE-2022-49043", "state": "PUBLISHED", "dateUpdated": "2025-11-03T20:35:14.313Z", "dateReserved": "2025-01-26T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-01-26T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", "matchCriteriaId": "64230376-40C5-49DC-9517-F5F44D51B281", "versionEndExcluding": "2.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free."}, {"lang": "es", "value": "xmlXIncludeAddNode en xinclude.c en libxml2 anterior a 2.11.0 tiene un use-after-free."}], "id": "CVE-2022-49043", "lastModified": "2025-11-03T21:15:55.003", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-01-26T06:15:21.000", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://github.com/php/php-src/issues/17467"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1487", "cpe": "cpe:/o:redhat:discovery:1.0::el9", "package": "discovery/discovery-server-rhel9:1.12.1-2", "product_name": "Discovery 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1487", "cpe": "cpe:/o:redhat:discovery:1.0::el9", "package": "discovery/discovery-ui-rhel9:1.12.0-2", "product_name": "Discovery 1 for RHEL 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1517", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "libxml2-0:2.9.7-18.el8_10.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-02-17T00:00:00Z"}, {"advisory": "RHSA-2025:1517", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "libxml2-0:2.9.7-18.el8_10.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-02-17T00:00:00Z"}, {"advisory": "RHSA-2025:2507", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "libxml2-0:2.9.7-16.el8_8.7", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:1350", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libxml2-0:2.9.13-6.el9_5.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-02-12T00:00:00Z"}, {"advisory": "RHSA-2025:1350", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "libxml2-0:2.9.13-6.el9_5.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-02-12T00:00:00Z"}, {"advisory": "RHSA-2025:1516", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "libxml2-0:2.9.13-3.el9_2.4", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-02-17T00:00:00Z"}, {"advisory": "RHSA-2025:2678", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "libxml2-0:2.9.13-9.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-03-12T00:00:00Z"}, {"advisory": "RHSA-2025:4409", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "package": "rhcos-412.86.202504240545-0", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2025-05-08T00:00:00Z"}, {"advisory": "RHSA-2025:4677", "cpe": "cpe:/a:redhat:openshift:4.13::el9", "package": "rhcos-413.92.202505061702-0", "product_name": "Red Hat OpenShift Container Platform 4.13", "release_date": "2025-05-15T00:00:00Z"}, {"advisory": "RHSA-2025:7702", "cpe": "cpe:/a:redhat:openshift:4.14::el9", "package": "rhcos-414.92.202505141057-0", "product_name": "Red Hat OpenShift Container Platform 4.14", "release_date": "2025-05-21T00:00:00Z"}, {"advisory": "RHSA-2025:4422", "cpe": "cpe:/a:redhat:openshift:4.15::el9", "package": "rhcos-415.92.202504282058-0", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2025-05-08T00:00:00Z"}, {"advisory": "RHSA-2025:3798", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "rhcos-417.94.202504080421-0", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-04-16T00:00:00Z"}, {"advisory": "RHSA-2025:3775", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "rhcos-418.94.202504080525-0", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-04-16T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-config-sync-rhel9:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-controller-podman-container-rhel9:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-controller-podman-rhel9:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-flow-collector-rhel9:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-operator-bundle:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-router-rhel9:2.5.3-7", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-service-controller-rhel9:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1925", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-site-controller-rhel9:1.5.5-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2025-02-27T00:00:00Z"}], "bugzilla": {"description": "libxml: use-after-free in xmlXIncludeAddNode", "id": "2342118", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2342118"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.", "A flaw was found in libxml2 where improper handling of memory allocation failures in `libxml2` can lead to crashes, memory leaks, or inconsistent states. While an attacker cannot directly control allocation failures, they may trigger denial-of-service conditions under extreme system stress."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-49043", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "libxml2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "libxml2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "libxml2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Affected", "package_name": "libxml2", "product_name": "Red Hat JBoss Core Services"}], "public_date": "2025-01-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49043\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49043\nhttps://github.com/php/php-src/issues/17467\nhttps://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b"], "statement": "This vulnerability marked as moderate instead of important because memory allocation failures are not typically controllable by an attacker, limiting their exploitability. While improper handling of malloc failures can lead to crashes, memory leaks, or inconsistent states, it does not directly result in privilege escalation or arbitrary code execution. \nAdditionally, in most real-world scenarios, failures due to memory exhaustion occur under extreme system stress rather than as part of an intentional attack vector.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-416: Use After Free vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nAccess to the platform is granted only after successful hard token-based multi-factor authentication (MFA) and is governed by least privilege to ensure that only authorized users and roles can execute or modify code. Red Hat also enforces least functionality, enabling only essential features, services, and ports. Hardening guidelines ensure the most restrictive settings required for operations, while baseline configurations enforce safe memory allocation and deallocation practices to reduce the risk of use-after-free vulnerabilities. The environment employs IPS/IDS and antimalware solutions to detect and prevent malicious code and provide real-time visibility into memory usage, lowering the risk of arbitrary code execution. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of denial-of-service (DoS) attacks. In the event of successful exploitation, process isolation prevents a compromised process from accessing memory freed by another, containing potential impact. Finally, memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) enhance resilience against memory-related vulnerabilities.", "threat_severity": "Moderate"}

{}