CVE-2016-9318

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

Published: Nov 16, 2016
Updated: Apr 13, 2023
CVE: CVE-2016-9318
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
xmlsoft / libxml2	-	2.9.4.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	12.04	12.04.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	14.04	14.04.x

http://www.securityfocus.com/bid/94347
https://bugzilla.gnome.org/show_bug.cgi?id=772726
https://github.com/lsh123/xmlsec/issues/43
https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
https://security.gentoo.org/glsa/201711-01
https://usn.ubuntu.com/3739-1/
https://usn.ubuntu.com/3739-2/

Vulnerability Database

289,689

CVE-2016-9318