Lucene search

[email protected]CVE-2016-9318

HistoryNov 16, 2016 - 12:59 a.m.

CVE-2016-9318

2016-11-1600:59:00

CWE-611

[email protected]

web.nvd.nist.gov

112

cve-2016-9318

libxml2

xxe

vulnerability

xmlsec

nvd

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

5.9 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

59.3%

JSON

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

CPENameOperatorVersion
xmlsoft:libxml2xmlsoft libxml2le2.9.4
canonical:ubuntu_linuxcanonical ubuntu linuxeq16.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq12.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq18.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq14.04

CPE	Name	Operator	Version
xmlsoft:libxml2	xmlsoft libxml2	le	2.9.4
canonical:ubuntu_linux	canonical ubuntu linux	eq	16.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	12.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	18.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	14.04