CVE-2016-9318

CWE-611XML External Entity (XXE)13 documents7 sources
Severity
5.5MEDIUM
EPSS
0.1%
top 68.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Xmlsoft Libxml2Canonical Ubuntu Linux
Timeline
PublishedNov 16
Latest updateAug 14

Description

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

Debianlibxml2< 2.9.10+dfsg-2+3
Ubuntulibxml2< 2.9.1+dfsg1-3ubuntu4.13+2
NVDxmlsoft/libxml22.9.4

Also affects: Ubuntu Linux 12.04, 14.04, 16.04, 18.04

Patches

Patch: bugzilla.gnome.orgPatch: github.comPatch: bugzilla.gnome.org

🔴Vulnerability Details

3
OSV
libxml2 vulnerabilities2018-08-14
OSV
CVE-2016-9318: libxml2 22016-11-16
CVEList
CVE-2016-9318: libxml2 22016-11-16

📋Vendor Advisories

4
Ubuntu
libxml2 vulnerabilities2018-08-14
Ubuntu
libxml2 vulnerabilities2018-08-14
Red Hat
libxml2: XML External Entity vulnerability2016-10-06
Debian
CVE-2016-9318: libxml2 - libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other produc...2016

💬Community

5
Bugzilla
CVE-2017-1000061 xmlsec1: xmlsec vulnerable to external entity expansion2017-03-30
Bugzilla
CVE-2016-9318 mingw-libxml2: libxml2: XML External Entity vulnerability [epel-7]2016-11-16
Bugzilla
CVE-2016-9318 libxml2: XML External Entity vulnerability2016-11-16
Bugzilla
CVE-2016-9318 mingw-libxml2: libxml2: XML External Entity vulnerability [fedora-all]2016-11-16
Bugzilla
CVE-2016-9318 libxml2: XML External Entity vulnerability [fedora-all]2016-11-16
CVE-2016-9318 (MEDIUM CVSS 5.5) | libxml2 2.9.4 and earlier | cvebase.io