CVE-2024-45490: 
Bottlerocket vulnerability analysis and mitigation

A vulnerability was discovered in libexpat before version 2.6.3, identified as CVE-2024-45490. The issue resides in xmlparse.c, which fails to reject a negative length value for XML_ParseBuffer. This vulnerability was discovered and disclosed in August 2024 and affects the libexpat XML parsing library (MITRE CVE, NVD).

The vulnerability is related to improper input validation in the XML_ParseBuffer function within xmlparse.c. The function does not properly validate negative length parameters, which could lead to memory corruption. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it is network accessible, requires low attack complexity, and primarily impacts system availability (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability primarily affects system availability, as indicated by the CVSS scoring (NetApp Advisory).

The vulnerability has been fixed in libexpat version 2.6.3. Users are advised to upgrade to this version or later to address the security issue. Multiple vendors have released patches for their affected products, including ONTAP, which has released various patch versions to address this vulnerability (NetApp Advisory).