CVE-2016-4449 - OpenCVE

XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Debian	Debian Linux
Redhat	Enterprise Linux Jboss Core Services
Xmlsoft	Libxml2

Configuration 1 [-]

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:15.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::

Configuration 3 [-]

cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 6
libxml2-0:2.7.6-21.el6_8.1	cpe:/o:redhat:enterprise_linux:6	RHSA-2016:1292	2016-06-23T00:00:00Z
Red Hat Enterprise Linux 7
libxml2-0:2.9.1-6.el7_2.3	cpe:/o:redhat:enterprise_linux:7	RHSA-2016:1292	2016-06-23T00:00:00Z
Red Hat JBoss Core Services 1
	cpe:/a:redhat:jboss_core_services:1	RHSA-2016:2957	2016-12-15T00:00:00Z

References

Link	Providers
http://jvn.jp/en/jp/JVN17535578/index.html
http://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000066.html
http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html
http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html
http://lists.apple.com/archives/security-announce/2016/Jul/msg00002.html
http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html
http://lists.apple.com/archives/security-announce/2016/Jul/msg00005.html
http://rhn.redhat.com/errata/RHSA-2016-2957.html
http://www.openwall.com/lists/oss-security/2016/05/25/2
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.securityfocus.com/bid/90865
http://www.securitytracker.com/id/1036348
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.404722
http://www.ubuntu.com/usn/USN-2994-1
http://xmlsoft.org/news.html
https://access.redhat.com/errata/RHSA-2016:1292
https://git.gnome.org/browse/libxml2/commit/?id=b1d34de46a11323fccffa9fadeb33be670d602f5
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05194709
https://kc.mcafee.com/corporate/index?page=content&id=SB10170
https://nvd.nist.gov/vuln/detail/CVE-2016-4449
https://support.apple.com/HT206899
https://support.apple.com/HT206901
https://support.apple.com/HT206902
https://support.apple.com/HT206903
https://support.apple.com/HT206904
https://support.apple.com/HT206905
https://support.cybozu.com/ja-jp/article/9735
https://www.cve.org/CVERecord?id=CVE-2016-4449
https://www.debian.org/security/2016/dsa-3593
https://www.tenable.com/security/tns-2016-18

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2016-06-09T16:00:00

Updated: 2024-08-06T00:32:25.361Z

Reserved: 2016-05-02T00:00:00

Link: CVE-2016-4449

Vulnrichment

No data.

NVD

Status : Modified

Published: 2016-06-09T16:59:07.800

Modified: 2018-01-18T18:18:06.040

Link: CVE-2016-4449

Redhat

Severity : Moderate

Publid Date: 2016-05-23T00:00:00Z

Links: CVE-2016-4449 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object