CVE-2016-3705
Severity
7.5HIGH
EPSS
1.0%
top 22.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 17
Latest updateMay 14
Description
The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages7 packages
Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 15.10, 16.04
🔴Vulnerability Details
4GHSA▶
GHSA-r6qj-ff26-p4v7: The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser↗2022-05-14
OSV▶
CVE-2016-3705: The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser↗2016-05-17
CVEList▶
CVE-2016-3705: The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser↗2016-05-17
📋Vendor Advisories
4💬Community
5Bugzilla▶
CVE-2016-9597 libxml2: stack overflow before detecting invalid XML file (unfixed CVE-2016-3705 in JBCS)↗2016-12-22
Bugzilla▶
CVE-2016-3705 mingw-libxml2: libxml2: stack overflow before detecting invalid XML file [fedora-all]↗2016-05-04
Bugzilla
▶
Bugzilla▶
CVE-2016-3705 mingw-libxml2: libxml2: stack overflow before detecting invalid XML file [epel-7]↗2016-05-04