CVE-2016-5300

Summary

CVE	CVE-2016-5300
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2016-06-16 18:59:00 UTC
Updated	2023-11-07 02:33:00 UTC
Description	The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.

Risk And Classification

Problem Types: CWE-399

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Canonical	Ubuntu Linux	12.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	15.10	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	12.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	15.10	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Google	Android	4.4.4	All	All	All
Operating System	Google	Android	5.0.2	All	All	All
Operating System	Google	Android	5.1.1	All	All	All
Operating System	Google	Android	6.0	All	All	All
Operating System	Google	Android	6.0.1	All	All	All
Operating System	Google	Android	4.4.4	All	All	All
Operating System	Google	Android	5.0.2	All	All	All
Operating System	Google	Android	5.1.1	All	All	All
Operating System	Google	Android	6.0	All	All	All
Operating System	Google	Android	6.0.1	All	All	All
Application	Libexpat Project	Libexpat	All	All	All	All
Application	Libexpat Project	Libexpat	All	All	All	All

References

Reference	Source	Link	Tags
oss-security - Re: expat hash collision fix too predictable?	MLIST	www.openwall.com	Mailing List
Debian -- Security Information -- DSA-3597-1 expat	DEBIAN	www.debian.org	Third Party Advisory
[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Android Security Bulletin—November 2016 \| Android Open Source Project	CONFIRM	source.android.com	Third Party Advisory
CPU July 2018	CONFIRM	www.oracle.com	Patch, Third Party Advisory
Expat: Multiple vulnerabilities (GLSA 201701-21) — Gentoo Security	GENTOO	security.gentoo.org	Third Party Advisory
Security Bulletin - Policy Auditor update fixes multiple vulnerabilities in third-party libraries (CVE-2016-0718, CVE-2016-4472, CVE-2016-5300, CVE-2017-17740, CVE-2017-9287, CVE-2019-13057, CVE-2020-15719, CVE-2019-1543, CVE-2019-1547, CVE-2019-1552, CVE-2019-1563, CVE-2019-8457, CVE-2018-20506, CVE-2018-20346, CVE-2019-16168, CVE-2017-12627)	CONFIRM	kc.mcafee.com
Expat CVE-2016-5300 Incomplete Fix Remote Denial of Service Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
Pony Mail!	MLIST	lists.apache.org
[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8		lists.apache.org
[R2] PVS 5.2.0 Fixes Multiple Third-party Library Vulnerabilities - Security Advisory \| Tenable Network Security	CONFIRM	www.tenable.com	Third Party Advisory
USN-3010-1: Expat vulnerabilities \| Ubuntu	UBUNTU	www.ubuntu.com	Third Party Advisory
oss-security - Re: expat hash collision fix too predictable?	MLIST	www.openwall.com	Mailing List
Oracle Solaris Bulletin - July 2016	CONFIRM	www.oracle.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

710322 Gentoo Linux Expat Multiple Vulnerabilities (GLSA 201701-21)