CVE-2016-9318
Summary
| CVE | CVE-2016-9318 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-11-16 00:59:00 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS: 0.001500000 probability, percentile 0.350750000 (date 2026-05-10)
Problem Types: CWE-611 | n/a | CWE-611 CWE-611 Improper Restriction of XML External Entity Reference
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| 3.1 | ADP | DECLARED | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| 2.0 | [email protected] | Primary | 4.3 | AV:N/AC:M/Au:N/C:P/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
PartialIntegrity
NoneAvailability
NoneAV:N/AC:M/Au:N/C:P/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.04 | All | All | All |
| Application | Xmlsec Project | Xmlsec | All | All | All | All |
| Application | Xmlsoft | Libxml2 | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] [DLA 2972-1] libxml2 security update | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | |
| Bug 772726 – XXE problems continue | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.gnome.org | Issue Tracking, Patch, Third Party Advisory, VDB Entry |
| libxml2 CVE-2016-9318 XML External Entity Injection Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| USN-3739-1: libxml2 vulnerabilities | Ubuntu security notices | af854a3a-2127-422b-91ae-364da2661108 | usn.ubuntu.com | Third Party Advisory |
| libxml2: Multiple vulnerabilities (GLSA 201711-01) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | Third Party Advisory |
| USN-3739-2: libxml2 vulnerabilities | Ubuntu security notices | af854a3a-2127-422b-91ae-364da2661108 | usn.ubuntu.com | Third Party Advisory |
| xmlsec vulnerable to XXE · Issue #43 · lsh123/xmlsec · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Exploit, Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 179176 Debian Security Update for libxml2 (DLA 2972-1)
- 500347 Alpine Linux Security Update for libxml2
- 504110 Alpine Linux Security Update for libxml2
- 591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
- 710359 Gentoo Linux libxml2 Multiple Vulnerabilities (GLSA 201711-01)