{"api_version":"1","generated_at":"2026-04-22T23:29:32+00:00","cve":"CVE-2016-3674","urls":{"html":"https://cve.report/CVE-2016-3674","api":"https://cve.report/api/cve/CVE-2016-3674.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-3674","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-3674"},"summary":{"title":"CVE-2016-3674","description":"Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2016-05-17 14:08:00","updated_at":"2018-03-26 18:47:00"},"problem_types":["CWE-200"],"metrics":[],"references":[{"url":"http://www.openwall.com/lists/oss-security/2016/03/25/8","name":"[oss-security] 20160325 CVE request - XStream: XXE vulnerability","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - CVE request - XStream: XXE vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2016-2822.html","name":"RHSA-2016:2822","refsource":"REDHAT","tags":["Broken Link"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1036419","name":"1036419","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"IBM Lotus Domino XML External Entity Processing Flaw in XStream Lets Remote Users Obtain Potentially Sensitive Information - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html","name":"FEDORA-2016-250042b8a6","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 22 Update: xstream-1.4.9-1.fc22","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/85381","name":"85381","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"XStream CVE-2016-3674 XML External Entity Multiple Information Disclosure Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://www.openwall.com/lists/oss-security/2016/03/28/1","name":"[oss-security] 20160328 Re: CVE request - XStream: XXE vulnerability","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: CVE request - XStream: XXE vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/x-stream/xstream/issues/25","name":"https://github.com/x-stream/xstream/issues/25","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"XXE vulnerability  · Issue #25 · x-stream/xstream · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html","name":"FEDORA-2016-de909cc333","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 23 Update: xstream-1.4.9-1.fc23","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2016-2823.html","name":"RHSA-2016:2823","refsource":"REDHAT","tags":["Broken Link"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://www.debian.org/security/2016/dsa-3575","name":"DSA-3575","refsource":"DEBIAN","tags":["Third Party Advisory"],"title":"Debian -- Security Information -- DSA-3575-1 libxstream-java","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://x-stream.github.io/changes.html#1.4.9","name":"http://x-stream.github.io/changes.html#1.4.9","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"XStream - Change History","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-3674","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3674","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"3674","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"3674","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"3674","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"22","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"3674","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"23","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"3674","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"22","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"3674","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"23","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"3674","vulnerable":"1","versionEndIncluding":"1.4.8","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xstream_project","cpe5":"xstream","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2016-3674","qid":"375827","title":"XStream Arbitrary Code Execution And Multiple vulnerabilities"},{"cve":"CVE-2016-3674","qid":"730155","title":"McAfee Web Gateway Multiple Vulnerabilities(WP-3580, WP-3656, WP-3815, WP-3878, WP-3882, WP-3934,WP-3935, WP-3936, WP-3999)"},{"cve":"CVE-2016-3674","qid":"980759","title":"Java (maven) Security Update for com.thoughtworks.xstream:xstream (GHSA-rgh3-987h-wpmw)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2016-3674","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://x-stream.github.io/changes.html#1.4.9","refsource":"CONFIRM","url":"http://x-stream.github.io/changes.html#1.4.9"},{"name":"FEDORA-2016-de909cc333","refsource":"FEDORA","url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html"},{"name":"DSA-3575","refsource":"DEBIAN","url":"http://www.debian.org/security/2016/dsa-3575"},{"name":"RHSA-2016:2822","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2016-2822.html"},{"name":"85381","refsource":"BID","url":"http://www.securityfocus.com/bid/85381"},{"name":"1036419","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1036419"},{"name":"[oss-security] 20160328 Re: CVE request - XStream: XXE vulnerability","refsource":"MLIST","url":"http://www.openwall.com/lists/oss-security/2016/03/28/1"},{"name":"RHSA-2016:2823","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2016-2823.html"},{"name":"https://github.com/x-stream/xstream/issues/25","refsource":"CONFIRM","url":"https://github.com/x-stream/xstream/issues/25"},{"name":"[oss-security] 20160325 CVE request - XStream: XXE vulnerability","refsource":"MLIST","url":"http://www.openwall.com/lists/oss-security/2016/03/25/8"},{"name":"FEDORA-2016-250042b8a6","refsource":"FEDORA","url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html"}]}},"nvd":{"publishedDate":"2016-05-17 14:08:00","lastModifiedDate":"2018-03-26 18:47:00","problem_types":["CWE-200"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*","versionEndIncluding":"1.4.8","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"3674","Ordinal":"89551","Title":"CVE-2016-3674","CVE":"CVE-2016-3674","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"3674","Ordinal":"1","NoteData":"Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.","Type":"Description","Title":null},{"CveYear":"2016","CveId":"3674","Ordinal":"2","NoteData":"2016-05-17","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"3674","Ordinal":"3","NoteData":"2018-01-04","Type":"Other","Title":"Modified"}]}}}