CVE-2016-4449

Published on: 06/09/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:26:59 PM UTC

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Certain versions of Ubuntu Linux from Canonical contain the following vulnerability:

XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.

  • CVE-2016-4449 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.1 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
LOCAL LOW NONE REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH NONE HIGH

CVSS2 Score: 5.8 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL NONE PARTIAL

CVE References

Description Tags Link
About the security content of iCloud for Windows 5.2.1 - Apple Support support.apple.com
text/html
URL Logo CONFIRM support.apple.com/HT206899
About the security content of OS X El Capitan v10.11.6 and Security Update 2016-004 - Apple Support support.apple.com
text/html
URL Logo CONFIRM support.apple.com/HT206903
Apple macOS/OS X Multiple Flaws Let Remote and Local Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code - SecurityTracker www.securitytracker.com
text/html
URL Logo SECTRACK 1036348
USN-2994-1: libxml2 vulnerabilities | Ubuntu www.ubuntu.com
text/html
URL Logo UBUNTU USN-2994-1
不具合情報公開サイト support.cybozu.com
text/html
URL Logo CONFIRM support.cybozu.com/ja-jp/article/9735
APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update 2016-004 lists.apple.com
text/html
URL Logo APPLE APPLE-SA-2016-07-18-1
APPLE-SA-2016-07-18-6 iTunes 12.4.2 lists.apple.com
text/html
URL Logo APPLE APPLE-SA-2016-07-18-6
The Slackware Linux Project: Slackware Security Advisories www.slackware.com
text/html
URL Logo SLACKWARE SSA:2016-148-01
Debian -- Security Information -- DSA-3593-1 libxml2 www.debian.org
Depreciated Link
text/html
URL Logo DEBIAN DSA-3593
Oracle Critical Patch Update - January 2018 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
About the security content of watchOS 2.2.2 - Apple Support support.apple.com
text/html
URL Logo CONFIRM support.apple.com/HT206904
JVNDB-2017-000066 - JVN iPedia jvndb.jvn.jp
text/xml
URL Logo JVNDB JVNDB-2017-000066
[R7] LCE 4.8.1 Fixes Multiple Vulnerabilities - Security Advisory | Tenable™ www.tenable.com
text/html
URL Logo CONFIRM www.tenable.com/security/tns-2016-18
JVN#17535578: Multiple vulnerabilities in Cybozu Office jvn.jp
text/xml
URL Logo JVN JVN#17535578
McAfee Security Bulletin: McAfee Web Gateway update fixes several vulnerabilities related to xml parsing kc.mcafee.com
text/html
URL Logo CONFIRM kc.mcafee.com/corporate/index?page=content&id=SB10170
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2016:1292
Oracle VM Server for x86 Bulletin - July 2016 web.archive.org
text/html
Inactive LinkNot Archived
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
Libxml2 'xmlLoadEntityContent()' Function CVE-2016-4449 Security Bypass Vulnerability cve.report (archive)
text/html
URL Logo BID 90865
Releases xmlsoft.org
text/xml
URL Logo CONFIRM xmlsoft.org/news.html
About the security content of iOS 9.3.3 - Apple Support support.apple.com
text/html
URL Logo CONFIRM support.apple.com/HT206902
oss-security - 3 libxml2 issues www.openwall.com
text/html
URL Logo MLIST [oss-security] 20160525 3 libxml2 issues
APPLE-SA-2016-07-18-3 watchOS 2.2.2 lists.apple.com
text/html
URL Logo APPLE APPLE-SA-2016-07-18-3
About the security content of iTunes 12.4.2 for Windows - Apple Support support.apple.com
text/html
URL Logo CONFIRM support.apple.com/HT206901
Document Display | HPE Support Center h20566.www2.hpe.com
text/html
URL Logo CONFIRM h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05194709
APPLE-SA-2016-07-18-4 tvOS 9.2.2 lists.apple.com
text/html
URL Logo APPLE APPLE-SA-2016-07-18-4
APPLE-SA-2016-07-18-2 iOS 9.3.3 lists.apple.com
text/html
URL Logo APPLE APPLE-SA-2016-07-18-2
About the security content of tvOS 9.2.2 - Apple Support support.apple.com
text/html
URL Logo CONFIRM support.apple.com/HT206905
Fix inappropriate fetch of entities content (b1d34de4) · Commits · GNOME / libxml2 · GitLab Vendor Advisory
git.gnome.org
text/html
URL Logo CONFIRM git.gnome.org/browse/libxml2/commit/?id=b1d34de46a11323fccffa9fadeb33be670d602f5
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:2957
Oracle Solaris Bulletin - July 2016 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System
CanonicalUbuntu Linux12.04AllAllAll
Operating
System
CanonicalUbuntu Linux14.04AllAllAll
Operating
System
CanonicalUbuntu Linux15.10AllAllAll
Operating
System
CanonicalUbuntu Linux16.04AllAllAll
Operating
System
CanonicalUbuntu Linux12.04AllAllAll
Operating
System
CanonicalUbuntu Linux14.04AllAllAll
Operating
System
CanonicalUbuntu Linux15.10AllAllAll
Operating
System
CanonicalUbuntu Linux16.04AllAllAll
Operating
System
DebianDebian Linux8.0AllAllAll
Operating
System
DebianDebian Linux8.0AllAllAll
ApplicationXmlsoftLibxml2AllAllAllAll
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*: