{
  "threat_severity" : "Moderate",
  "public_date" : "2024-03-10T00:00:00Z",
  "bugzilla" : {
    "description" : "expat: XML Entity Expansion",
    "id" : "2268766",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2268766"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-776",
  "details" : [ "libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).", "An XML Entity Expansion flaw was found in libexpat. This flaw allows an attacker to cause a denial of service when there is an isolated use of external parsers." ],
  "statement" : "This vulnerability is rated as a moderate severity because a flaw was found in the libexpat library in the xmlparse.c file, specifically in the handling of external parsers. The issue is an XML Entity Expansion flaw caused by the parser's failure to detect direct recursion when a parameter entity references itself in an external subset. An attacker can trigger this by submitting a specially crafted XML document, which creates an infinite processing loop, leading to uncontrolled resource consumption and causing a denial of service (DoS).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-11-19T00:00:00Z",
    "advisory" : "RHSA-2025:21776",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "expat-0:2.5.0-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHBA-2024:2518",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "expat-0:2.5.0-2.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-03-26T00:00:00Z",
    "advisory" : "RHSA-2024:1530",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "expat-0:2.5.0-1.el9_3.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHBA-2024:2518",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "expat-0:2.5.0-2.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-03-26T00:00:00Z",
    "advisory" : "RHSA-2024:1530",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "expat-0:2.5.0-1.el9_3.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-06-13T00:00:00Z",
    "advisory" : "RHSA-2024:3926",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "expat-0:2.5.0-1.el9_2.1"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2026-03-26T00:00:00Z",
    "advisory" : "RHSA-2026:5087",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el9",
    "package" : "rhcos-414.92.202603110216-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.15",
    "release_date" : "2026-03-19T00:00:00Z",
    "advisory" : "RHSA-2026:4419",
    "cpe" : "cpe:/a:redhat:openshift:4.15::el9",
    "package" : "rhcos-415.92.202603101737-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2026-03-19T00:00:00Z",
    "advisory" : "RHSA-2026:4465",
    "cpe" : "cpe:/a:redhat:openshift:4.16::el9",
    "package" : "rhcos-416.94.202603112010-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.17",
    "release_date" : "2026-03-19T00:00:00Z",
    "advisory" : "RHSA-2026:4480",
    "cpe" : "cpe:/a:redhat:openshift:4.17::el9",
    "package" : "rhcos-417.94.202603102246-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.18",
    "release_date" : "2026-03-11T00:00:00Z",
    "advisory" : "RHSA-2026:3876",
    "cpe" : "cpe:/a:redhat:openshift:4.18::el9",
    "package" : "rhcos-418.94.202603021444-0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "compat-expat1",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "expat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "expat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-28757\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-28757\nhttps://github.com/libexpat/libexpat/issues/839" ],
  "name" : "CVE-2024-28757",
  "csaw" : false
}