Back to board Open MSRC
MSRC compact vulnerability detail

CVE-2013-0340 · expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function which allows remote attackers to cause a denial of service (resource consumption) send HTTP requests to intranet servers or read arbitrary files via a crafted XML document aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion the responsibility for resolving this issue lies with application developers; according to this argument this entry should be REJECTed and each affected application would need its own CVE.

No description was published by MSRC.

Severity
None
Impact
None
CVSS
n/a base · n/a temporal
Release
2021-12-01
Signals
Mariner None Exploited: n/a Publicly disclosed: n/a Exploitability: n/a
CWE
No CWE data published.
Patch Diff
Loading module diff metadata...
Resolved binary override
Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.
Old version New version
Description
No description was published by MSRC.
FAQ / Articles
FAQ
Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.