CVE-2016-5300 — Insufficient Entropy in Project Libexpat
Severity
7.5HIGHNVD
CNA4.3OSV5.9OSV4.3
EPSS
2.2%
top 15.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 16
Latest updateMay 13
Description
The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages2 packages
Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 15.10, 16.04
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-59r7-7hc4-v4rf: The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service↗2022-05-13
OSV▶
CVE-2016-5300: The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service↗2016-06-16
CVEList▶
CVE-2016-5300: The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service↗2016-06-16
📋Vendor Advisories
8Android▶
CVE-2016-5300: Android Security Bulletin 2016-11-01
CVE: CVE-2016-5300
Severity: MEDIUM
Affected AOSP versions: 4↗2016-11-01