CVE-2016-4658
published 2016-09-25CVE-2016-4658: xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not…
PriorityP350critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
8.63%
94.4th percentile
xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | < 10.0 | 10.0 |
| apple | mac_os_x | < 10.12 | 10.12 |
| apple | macos_sierra | — | — |
| apple | tvos | < 10.0 | 10.0 |
| apple | tvos | — | — |
| apple | watchos | < 3.0 | 3.0 |
| apple | watchos_3 | — | — |
| debian | libxml2 | < libxml2 2.9.4+dfsg1-2.1 (bookworm) | libxml2 2.9.4+dfsg1-2.1 (bookworm) |
| android | — | — | |
| nokogiri | nokogiri | >= 0 < 1.7.1 | 1.7.1 |
| xmlsoft | libxml2 | < 2.9.5 | 2.9.5 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-2.1 | 2.9.4+dfsg1-2.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-2.1 | 2.9.4+dfsg1-2.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-2.1 | 2.9.4+dfsg1-2.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-2.1 | 2.9.4+dfsg1-2.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.1+dfsg1-3ubuntu4.9 | 2.9.1+dfsg1-3ubuntu4.9 |
| xmlsoft | libxml2 | >= 0 < 2.9.3+dfsg1-1ubuntu0.2 | 2.9.3+dfsg1-1ubuntu0.2 |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
cisa_ics·2023-12-14
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
ICS Advisory
##
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
Release DateDecember 14, 2023
Alert CodeICSA-23-348-10
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
- Vulnerabilities: Improper Restriction of XML External Entity Reference, Time-of-check Time-of-use (TOCTOU) Race Condition, Command Injection, Miss
Android
CVE-2016-4658: Android Security Bulletin 2017-06-01
CVE: CVE-2016-4658
Severity: HIGH
Type: RCE
Affected AOSP versions: 4
vendor_android·2017-06-01·CVSS 9.8
CVE-2016-4658 [CRITICAL] CVE-2016-4658: Android Security Bulletin 2017-06-01
CVE: CVE-2016-4658
Severity: HIGH
Type: RCE
Affected AOSP versions: 4
Android Security Bulletin 2017-06-01
CVE: CVE-2016-4658
Severity: HIGH
Type: RCE
Affected AOSP versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
References: A-36554207
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2017-03-16·CVSS 9.8
CVE-2016-4448 [CRITICAL] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: Several security issues were fixed in libxml2.
It was discovered that libxml2 incorrectly handled format strings. If a
user or automated system were tricked into opening a specially crafted
document, an attacker could possibly cause libxml2 to crash, resulting in a
denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04
LTS, and Ubuntu 16.04 LTS. (CVE-2016-4448)
It was discovered that libxml2 incorrectly handled certain malformed
documents. If a user or automated system were tricked into opening a
specially crafted document, an attacker could cause libxml2 to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-4658)
Nick Wellnhofer discovered that libxml2 incorrectly handled certain
malformed
Red Hat
libxml2: Use after free via namespace node in XPointer ranges
vendor_redhat·2016-10-12·CVSS 9.8
CVE-2016-4658 [CRITICAL] CWE-416 libxml2: Use after free via namespace node in XPointer ranges
libxml2: Use after free via namespace node in XPointer ranges
xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.
A use-after-free flaw was found in the Xpointer implementation of libxml2. An attacker could use this flaw against an application parsing untrusted XML files and compiled with libxml2 to leak small amount of memory data.
Statement: This flaw can be triggered by parsing untrusted XML files via applications compiled with libxml2 causing the application to crash. For web browsers or bro
Apple
CVE-2016-4658: macOS Sierra 10.12
vendor_apple·2016-09-20·CVSS 9.8
CVE-2016-4658 [CRITICAL] CVE-2016-4658: macOS Sierra 10.12
Apple Security Update: About the security content of macOS Sierra 10.12
Product: macOS Sierra
Version: 10.12
CVE: CVE-2016-4658
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved memory handling.
Apple
CVE-2016-4658: iOS 10
vendor_apple·2016-09-13·CVSS 9.8
CVE-2016-4658 [CRITICAL] CVE-2016-4658: iOS 10
Apple Security Update: About the security content of iOS 10
Product: iOS
Version: 10
CVE: CVE-2016-4658
Component: Keyboards
Impact: Keyboard auto correct suggestions may reveal sensitive information
Description: The iOS keyboard was inadvertently caching sensitive information. This issue was addressed through improved heuristics.
Apple
CVE-2016-4658: tvOS 10
vendor_apple·2016-09-13·CVSS 9.8
CVE-2016-4658 [CRITICAL] CVE-2016-4658: tvOS 10
Apple Security Update: About the security content of tvOS 10
Product: tvOS
Version: 10
CVE: CVE-2016-4658
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved memory handling.
Apple
CVE-2016-4658: watchOS 3
vendor_apple·2016-09-13·CVSS 9.8
CVE-2016-4658 [CRITICAL] CVE-2016-4658: watchOS 3
Apple Security Update: About the security content of watchOS 3
Product: watchOS 3
CVE: CVE-2016-4658
Component: Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved memory handling.
Debian
CVE-2016-4658: libxml2 - xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before ...
vendor_debian·2016·CVSS 9.8
CVE-2016-4658 [CRITICAL] CVE-2016-4658: libxml2 - xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before ...
xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.
Scope: local
bookworm: resolved (fixed in 2.9.4+dfsg1-2.1)
bullseye: resolved (fixed in 2.9.4+dfsg1-2.1)
forky: resolved (fixed in 2.9.4+dfsg1-2.1)
sid: resolved (fixed in 2.9.4+dfsg1-2.1)
trixie: resolved (fixed in 2.9.4+dfsg1-2.1)
GHSA
Nokogiri does not forbid namespace nodes in XPointer ranges
ghsa·2018-08-21
CVE-2016-4658 [CRITICAL] CWE-119 Nokogiri does not forbid namespace nodes in XPointer ranges
Nokogiri does not forbid namespace nodes in XPointer ranges
xpointer.c in libxml2 before 2.9.5 (as used in nokogiri before 1.7.1 amongst other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.
OSV
Nokogiri does not forbid namespace nodes in XPointer ranges
osv·2018-08-21
CVE-2016-4658 [CRITICAL] Nokogiri does not forbid namespace nodes in XPointer ranges
Nokogiri does not forbid namespace nodes in XPointer ranges
xpointer.c in libxml2 before 2.9.5 (as used in nokogiri before 1.7.1 amongst other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.
OSV
libxml2 vulnerabilities
osv·2017-03-16·CVSS 9.8
CVE-2016-4448 [CRITICAL] libxml2 vulnerabilities
libxml2 vulnerabilities
It was discovered that libxml2 incorrectly handled format strings. If a
user or automated system were tricked into opening a specially crafted
document, an attacker could possibly cause libxml2 to crash, resulting in a
denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04
LTS, and Ubuntu 16.04 LTS. (CVE-2016-4448)
It was discovered that libxml2 incorrectly handled certain malformed
documents. If a user or automated system were tricked into opening a
specially crafted document, an attacker could cause libxml2 to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-4658)
Nick Wellnhofer discovered that libxml2 incorrectly handled certain
malformed documents. If a user or automated system were tricked into
openi
OSV
CVE-2016-4658: xpointer
osv·2016-09-25·CVSS 9.8
CVE-2016-4658 [CRITICAL] CVE-2016-4658: xpointer
xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-4658 mingw-libxml2: libxml2: Use after free via namespace node in XPointer ranges [epel-7]
bugzilla·2016-10-13·CVSS 9.8
CVE-2016-4658 [CRITICAL] CVE-2016-4658 mingw-libxml2: libxml2: Use after free via namespace node in XPointer ranges [epel-7]
CVE-2016-4658 mingw-libxml2: libxml2: Use after free via namespace node in XPointer ranges [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by
Bugzilla
CVE-2016-4658 libxml2: Use after free via namespace node in XPointer ranges
bugzilla·2016-10-13·CVSS 9.8
CVE-2016-4658 [CRITICAL] CVE-2016-4658 libxml2: Use after free via namespace node in XPointer ranges
CVE-2016-4658 libxml2: Use after free via namespace node in XPointer ranges
Possible use after free vulnerability via namespace nodes in XPointer ranges was found.
Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b
Discussion:
Created libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1384427]
---
Created mingw-libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1384429]
Affects: epel-7 [bug 1384430]
---
(In reply to Adam Mariš from comment #0)
> Possible use after free vulnerability via namespace nodes in XPointer ranges
> was found.
>
> Upstream patch:
>
> https://git.gnome.org/browse/libxml2/commit/
> ?id=c1d1f7121194036608bf555f08d3062a36fd344b
Hello Adam,
We have been monitoring the URL ftp://xml
Bugzilla
CVE-2016-4658 libxml2: Use after free via namespace node in XPointer ranges [fedora-all]
bugzilla·2016-10-13·CVSS 9.8
CVE-2016-4658 [CRITICAL] CVE-2016-4658 libxml2: Use after free via namespace node in XPointer ranges [fedora-all]
CVE-2016-4658 libxml2: Use after free via namespace node in XPointer ranges [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported v
Bugzilla
CVE-2016-4658 mingw-libxml2: libxml2: Use after free via namespace node in XPointer ranges [fedora-all]
bugzilla·2016-10-13·CVSS 9.8
CVE-2016-4658 [CRITICAL] CVE-2016-4658 mingw-libxml2: libxml2: Use after free via namespace node in XPointer ranges [fedora-all]
CVE-2016-4658 mingw-libxml2: libxml2: Use after free via namespace node in XPointer ranges [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multi
http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.htmlhttp://lists.apple.com/archives/security-announce/2016/Sep/msg00008.htmlhttp://lists.apple.com/archives/security-announce/2016/Sep/msg00010.htmlhttp://lists.apple.com/archives/security-announce/2016/Sep/msg00011.htmlhttp://www.securityfocus.com/bid/93054http://www.securitytracker.com/id/1036858http://www.securitytracker.com/id/1038623https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344bhttps://security.gentoo.org/glsa/201701-37https://support.apple.com/HT207141https://support.apple.com/HT207142https://support.apple.com/HT207143https://support.apple.com/HT207170http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.htmlhttp://lists.apple.com/archives/security-announce/2016/Sep/msg00008.htmlhttp://lists.apple.com/archives/security-announce/2016/Sep/msg00010.htmlhttp://lists.apple.com/archives/security-announce/2016/Sep/msg00011.htmlhttp://www.securityfocus.com/bid/93054http://www.securitytracker.com/id/1036858http://www.securitytracker.com/id/1038623https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344bhttps://security.gentoo.org/glsa/201701-37https://support.apple.com/HT207141https://support.apple.com/HT207142https://support.apple.com/HT207143https://support.apple.com/HT207170
2016-09-25
Published