CVE-2022-2309

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-2309
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2309.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-2309
Aliases
Downstream
Related
Published
2022-07-05T09:00:12Z
Modified
2025-11-19T10:54:44.318792Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
NULL Pointer Dereference in lxml/lxml
Details

NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Database specific 
{
    "cwe_ids": [
        "CWE-476"
    ]
}
References

Affected packages

Git / github.com/lxml/lxml

Affected ranges

Type
GIT
Repo
https://github.com/lxml/lxml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d01872ccdf7e1e5e825b6c6292b43e7d27ae5fc4
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.9.1"
        }
    ]
}

Affected versions

lxml-0.*

lxml-0.5.1
lxml-0.6
lxml-0.7
lxml-0.9

lxml-1.*

lxml-1.0
lxml-1.0.beta
lxml-1.1
lxml-1.1alpha
lxml-1.1beta
lxml-1.2

lxml-2.*

lxml-2.0
lxml-2.0.1
lxml-2.0alpha1
lxml-2.0alpha2
lxml-2.0alpha3
lxml-2.0alpha4
lxml-2.0alpha5
lxml-2.0alpha6
lxml-2.0beta1
lxml-2.0beta2
lxml-2.1
lxml-2.1alpha1
lxml-2.1beta1
lxml-2.1beta2
lxml-2.1beta3
lxml-2.2
lxml-2.2.1
lxml-2.2.2
lxml-2.3
lxml-2.3.1
lxml-2.3.2
lxml-2.3.3
lxml-2.3.4
lxml-2.3.5
lxml-2.3.6
lxml-2.3alpha1
lxml-2.3alpha2
lxml-2.3beta1

lxml-3.*

lxml-3.0
lxml-3.0.1
lxml-3.0.2
lxml-3.0alpha1
lxml-3.0alpha2
lxml-3.0beta1
lxml-3.1.0
lxml-3.1.1
lxml-3.1.2
lxml-3.1beta1
lxml-3.2.0
lxml-3.2.1
lxml-3.2.2
lxml-3.2.3
lxml-3.2.4
lxml-3.2.5
lxml-3.3.0
lxml-3.3.0beta1
lxml-3.3.0beta2
lxml-3.3.0beta3
lxml-3.3.0beta4
lxml-3.3.0beta5
lxml-3.3.1
lxml-3.3.2
lxml-3.3.3
lxml-3.3.4
lxml-3.3.5
lxml-3.3.6
lxml-3.4.0
lxml-3.4.0beta1
lxml-3.4.1
lxml-3.4.2
lxml-3.4.3
lxml-3.4.4
lxml-3.5.0
lxml-3.5.0b1
lxml-3.6.0
lxml-3.6.1
lxml-3.6.2
lxml-3.6.3
lxml-3.6.4
lxml-3.7.0
lxml-3.7.1
lxml-3.7.2
lxml-3.8.0
lxml-3.8.0-py27fix

lxml-4.*

lxml-4.0.0
lxml-4.1.0
lxml-4.1.1
lxml-4.2.0
lxml-4.2.1
lxml-4.2.2
lxml-4.2.3
lxml-4.2.3-win
lxml-4.2.4
lxml-4.2.5
lxml-4.2.6
lxml-4.2.6-win1
lxml-4.3.0
lxml-4.3.1
lxml-4.3.2
lxml-4.3.3
lxml-4.3.4
lxml-4.3.5
lxml-4.4.0
lxml-4.4.1
lxml-4.4.2
lxml-4.4.3
lxml-4.5.0
lxml-4.5.1
lxml-4.5.2
lxml-4.6.0
lxml-4.6.1
lxml-4.6.2
lxml-4.6.3
lxml-4.6.4
lxml-4.6.4-1
lxml-4.6.4-2
lxml-4.6.4-3
lxml-4.6.4-4
lxml-4.6.4-5
lxml-4.6.5
lxml-4.7.0
lxml-4.7.0-pre
lxml-4.7.1
lxml-4.8.0
lxml-4.9.0