{"api_version":"1","generated_at":"2026-04-22T23:20:45+00:00","cve":"CVE-2016-9318","urls":{"html":"https://cve.report/CVE-2016-9318","api":"https://cve.report/api/cve/CVE-2016-9318.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-9318","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-9318"},"summary":{"title":"CVE-2016-9318","description":"libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2016-11-16 00:59:00","updated_at":"2022-04-08 23:15:00"},"problem_types":["CWE-611"],"metrics":[],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html","name":"[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2972-1] libxml2 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/201711-01","name":"GLSA-201711-01","refsource":"GENTOO","tags":["Third Party Advisory"],"title":"libxml2: Multiple vulnerabilities (GLSA 201711-01) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/3739-1/","name":"USN-3739-1","refsource":"UBUNTU","tags":["Third Party Advisory"],"title":"USN-3739-1: libxml2 vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/3739-2/","name":"USN-3739-2","refsource":"UBUNTU","tags":["Third Party Advisory"],"title":"USN-3739-2: libxml2 vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/94347","name":"94347","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"libxml2 CVE-2016-9318 XML External Entity Injection Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://github.com/lsh123/xmlsec/issues/43","name":"https://github.com/lsh123/xmlsec/issues/43","refsource":"MISC","tags":["Exploit","Patch","Third Party Advisory"],"title":"xmlsec vulnerable to XXE · Issue #43 · lsh123/xmlsec · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.gnome.org/show_bug.cgi?id=772726","name":"https://bugzilla.gnome.org/show_bug.cgi?id=772726","refsource":"MISC","tags":["Issue Tracking","Patch","Third Party Advisory","VDB Entry"],"title":"Bug 772726 – XXE problems continue","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-9318","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9318","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"9318","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"12.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"esm","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"9318","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"14.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"esm","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"9318","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"9318","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"9318","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"12.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"esm","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"9318","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"14.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"esm","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"9318","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"9318","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"9318","vulnerable":"-1","versionEndIncluding":"1.2.23","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xmlsec_project","cpe5":"xmlsec","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"9318","vulnerable":"0","versionEndIncluding":"1.2.23","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xmlsec_project","cpe5":"xmlsec","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"9318","vulnerable":"1","versionEndIncluding":"2.9.4","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xmlsoft","cpe5":"libxml2","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2016-9318","qid":"179176","title":"Debian Security Update for libxml2 (DLA 2972-1)"},{"cve":"CVE-2016-9318","qid":"500347","title":"Alpine Linux Security Update for libxml2"},{"cve":"CVE-2016-9318","qid":"504110","title":"Alpine Linux Security Update for libxml2"},{"cve":"CVE-2016-9318","qid":"591406","title":"Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)"},{"cve":"CVE-2016-9318","qid":"710359","title":"Gentoo Linux libxml2 Multiple Vulnerabilities (GLSA 201711-01)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2016-9318","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://bugzilla.gnome.org/show_bug.cgi?id=772726","refsource":"MISC","url":"https://bugzilla.gnome.org/show_bug.cgi?id=772726"},{"name":"https://github.com/lsh123/xmlsec/issues/43","refsource":"MISC","url":"https://github.com/lsh123/xmlsec/issues/43"},{"name":"USN-3739-1","refsource":"UBUNTU","url":"https://usn.ubuntu.com/3739-1/"},{"name":"GLSA-201711-01","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/201711-01"},{"name":"94347","refsource":"BID","url":"http://www.securityfocus.com/bid/94347"},{"name":"USN-3739-2","refsource":"UBUNTU","url":"https://usn.ubuntu.com/3739-2/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update","url":"https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html"}]}},"nvd":{"publishedDate":"2016-11-16 00:59:00","lastModifiedDate":"2022-04-08 23:15:00","problem_types":["CWE-611"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*","versionEndIncluding":"2.9.4","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:a:xmlsec_project:xmlsec:*:*:*:*:*:*:*:*","versionEndIncluding":"1.2.23","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"9318","Ordinal":"95998","Title":"CVE-2016-9318","CVE":"CVE-2016-9318","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"9318","Ordinal":"1","NoteData":"libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.","Type":"Description","Title":null},{"CveYear":"2016","CveId":"9318","Ordinal":"2","NoteData":"2016-11-15","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"9318","Ordinal":"3","NoteData":"2018-08-15","Type":"Other","Title":"Modified"}]}}}