{"id":"UBUNTU-CVE-2017-9765","details":"Integer overflow in the soap_get function in Genivia gSOAP 2.7.x and 2.8.x before 2.8.48, as used on Axis cameras and other devices, allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow and application crash) via a large XML document, aka Devil's Ivy. NOTE: the large document would be blocked by many common web-server configurations on general-purpose computers.","modified":"2026-04-22T11:37:37.455134Z","published":"2017-07-20T00:29:00Z","upstream":["CVE-2017-9765"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-9765"},{"type":"REPORT","url":"http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions"},{"type":"REPORT","url":"https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017)"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2017-9765"}],"affected":[{"package":{"name":"gsoap","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/gsoap@2.8.28-1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.8.22-1","2.8.22-2","2.8.28-1"],"ecosystem_specific":{"binaries":[{"binary_name":"gsoap","binary_version":"2.8.28-1"},{"binary_name":"libgsoap8","binary_version":"2.8.28-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-9765.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}