CVE-2016-3705

EPSS 1.03%
Published 17.05.2016 14:08:04
Last modified 12.04.2025 10:46:40
Source secalert@redhat.com
Teams watchlist Login
Open Login

The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references.

Affected products Warnungen 0 Metrics 3 CWE 1 References 19

Data is provided by the National Vulnerability Database (NVD)

Canonical ≫ Ubuntu Linux Version12.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version14.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version15.10

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Xmlsoft ≫ Libxml2 Version2.9.3

Debian ≫ Debian Linux Version8.0

Hp ≫ Icewall Federation Agent Version3.0

Hp ≫ Icewall File Manager Version3.0

Opensuse ≫ Leap Version42.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.03%	0.767

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

http://rhn.redhat.com/errata/RHSA-2016-2957.html

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

https://security.gentoo.org/glsa/201701-37

https://www.tenable.com/security/tns-2016-18

http://www.ubuntu.com/usn/USN-2994-1

https://www.debian.org/security/2016/dsa-3593

https://access.redhat.com/errata/RHSA-2016:1292

https://kc.mcafee.com/corporate/index?page=content&id=SB10170

http://lists.opensuse.org/opensuse-updates/2016-05/msg00055.html

http://lists.opensuse.org/opensuse-updates/2016-05/msg00127.html