CVE-2016-3674
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-3674
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 1.4.9-1 |
| debian | bullseye | fixed | 1.4.9-1 |
| debian | forky | fixed | 1.4.9-1 |
| debian | sid | fixed | 1.4.9-1 |
| debian | trixie | fixed | 1.4.9-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | com.thoughtworks.xstream:xstream | <1.4.9 | 1.4.9 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2016-3674
- https://github.com/x-stream/xstream/issues/25
- https://github.com/x-stream/xstream
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
- http://rhn.redhat.com/errata/RHSA-2016-2822.html
- http://rhn.redhat.com/errata/RHSA-2016-2823.html
- http://www.debian.org/security/2016/dsa-3575
- http://www.openwall.com/lists/oss-security/2016/03/25/8
- http://www.openwall.com/lists/oss-security/2016/03/28/1
- http://www.securityfocus.com/bid/85381
- http://www.securitytracker.com/id/1036419
- http://x-stream.github.io/changes.html#1.4.9
- https://security-tracker.debian.org/tracker/CVE-2016-3674
Verify integrity in audit chain (admin only). AS-IS.