CVE-2016-9318

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 16-11-2016 01:59

Last modified: - 09-04-2022 01:15

Total changes: - 2

Description

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Low

Attack complexity

Local

Attack vector

None

Availability

High

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

Required

User interaction

5.5

Base score

1.8

3.6

Exploitability score

Impact score

Verification logic

AND

vendor=xmlsoft AND product=libxml2 AND versionEndIncluding=2.9.4

vendor=xmlsec_project AND product=xmlsec AND versionEndIncluding=1.2.23

vendor=canonical AND product=ubuntu_linux AND version=12.04 AND software_edition=esm

vendor=canonical AND product=ubuntu_linux AND version=14.04 AND software_edition=esm

vendor=canonical AND product=ubuntu_linux AND version=16.04 AND software_edition=lts

vendor=canonical AND product=ubuntu_linux AND version=18.04 AND software_edition=lts

Reference

https://bugzilla.gnome.org/show_bug.cgi?id=772726
https://github.com/lsh123/xmlsec/issues/43
94347-Third Party Advisory, VDB Entry
GLSA-201711-01-Third Party Advisory
USN-3739-2-Third Party Advisory
USN-3739-1-Third Party Advisory
[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update-

Keywords

CVE-2016-9318

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2016-9318

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures