CVE-2016-8734

CWE-400Uncontrolled Resource ConsumptionCWE-776XML Entity Expansion (Billion Laughs)10 documents9 sources
Severity
6.5MEDIUM
EPSS
12.9%
top 5.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache Software Foundation Apache SubversionApache SubversionDebian Debian Linux
Timeline
PublishedOct 16
Latest updateMay 13

Description

Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDapache/subversion82 versions+81
CVEListV5apache_software_foundation/apache_subversion1.4.0 to 1.8.16, 1.9.0 to 1.9.4+1
Debiansubversion< 1.9.5-1+3

Also affects: Debian Linux 8.0, 9.0

🔴Vulnerability Details

3
GHSA
GHSA-x5mc-4p5h-grh2: Apache Subversion's mod_dontdothat module and HTTP clients 12022-05-13
CVEList
CVE-2016-8734: Apache Subversion's mod_dontdothat module and HTTP clients 12017-10-16
OSV
CVE-2016-8734: Apache Subversion's mod_dontdothat module and HTTP clients 12017-10-16

📋Vendor Advisories

4
Ubuntu
Subversion vulnerabilities2017-08-11
Red Hat
subversion: unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s)://2016-11-29
Debian
CVE-2016-8734: subversion - Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16,...2016
Apache
Apache subversion: CVE-2016-8734

💬Community

2
Bugzilla
CVE-2016-8734 subversion: unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s):// [fedora-all]2016-11-29
Bugzilla
CVE-2016-8734 subversion: unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s)://2016-11-22
CVE-2016-8734 (MEDIUM CVSS 6.5) | Apache Subversion's mod_dontdothat | cvebase.io