DescriptionXML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read arbitrary files via a crafted XML file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs736275

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libmarc-xml-perl (PTS)buster, bullseye1.0.5-1fixed
sid, trixie, bookworm1.0.5-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[wheezy] - libmarc-xml-perl <no-dsa> (Too intrusive to backport)
[squeeze] - libmarc-xml-perl <no-dsa> (Too intrusive to backport)
older versions do not have the ability to set a user custom parser, trying to fix CVE-2014-1626 not clear yet
upstream developer contacted and is looking into it; backport fix might be to intrusive due to change in used Module

Search for package or bug name: Reporting problems