CVE-2024-28757
CVE Details
Visit the official vulnerability details page for CVE-2024-28757 to learn more.
Initial Publication
10/25/2024
Last Update
09/02/2025
Third Party Dependency
libexpat
NIST CVE Summary
libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).
CVE Severity
Our Official Summary
This is a high-severity denial-of-service (DoS) vulnerability in libexpat, a widely used C library for parsing XML. It affects versions ≤ 2.6.1 and is fixed in version 2.6.2. Risk of exploitation is low for our products as attacker has to gain privilged access to the container and run code on the container to be able to exploit this. Probability of exploitation is very low. If a fix becomes available upstream, that will be adopted to fix this vulnerability.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.16 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
| 4.6.41 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.22 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.4.20 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 08/18/2025 | Advisory assigned with HIGH severity |
| 05/29/2025 | Official summary added |