CVE-2024-40896

Description

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

How to fix CVE-2024-40896

To remediate CVE-2024-40896, upgrade the affected package to a fixed version below.

Bitnami/java—upgrade to 1.8.0 or later
—upgrade to 1.8.0 or later
—upgrade to 1.8.0 or later

Is CVE-2024-40896 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 1.8.0, >= 1.9.0, < 8.0.461
from 0, < 1.8.0, >= 1.9.0, < 8.0.461
from 0, < 1.8.0, >= 1.9.0, < 8.0.461

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References (4)

WEBgitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6
WEBgitlab.gnome.org/GNOME/libxml2/-/issues/761
WEBnvd.nist.gov/vuln/detail/CVE-2024-40896
WEBsecurity.netapp.com/advisory/ntap-20250228-0004/