CVE-2016-9318

Published: 11/16/2016 Last updated: 12/4/2025 Reserved: 11/14/2016

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

CNA assigner: mitre (8254265b-2729-46b6-b9e3-3dfca2d5bfca) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	5.5	Medium	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Opam packages affected (5)

bap-llvm conf-gtksourceview conf-gtksourceview3 conf-librsvg2 lablgtk3-gtkspell3

Products affected (0)

No product listed.

References (28)

https://bugzilla.gnome.org/show_bug.cgi?id=772726
https://github.com/lsh123/xmlsec/issues/43
https://usn.ubuntu.com/3739-1/
https://security.gentoo.org/glsa/201711-01
http://www.securityfocus.com/bid/94347
https://usn.ubuntu.com/3739-2/
https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
https://bugzilla.gnome.org/show_bug.cgi?id=772726
https://github.com/lsh123/xmlsec/issues/43
https://usn.ubuntu.com/3739-1/
https://security.gentoo.org/glsa/201711-01
http://www.securityfocus.com/bid/94347
https://usn.ubuntu.com/3739-2/
https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
https://bugzilla.gnome.org/show_bug.cgi?id=772726
https://github.com/lsh123/xmlsec/issues/43
https://usn.ubuntu.com/3739-1/
https://security.gentoo.org/glsa/201711-01
http://www.securityfocus.com/bid/94347
https://usn.ubuntu.com/3739-2/
https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
https://bugzilla.gnome.org/show_bug.cgi?id=772726
https://github.com/lsh123/xmlsec/issues/43
https://usn.ubuntu.com/3739-1/
https://security.gentoo.org/glsa/201711-01
http://www.securityfocus.com/bid/94347
https://usn.ubuntu.com/3739-2/
https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html