{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-11-15T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-08T22:06:16.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.gnome.org/show_bug.cgi?id=772726"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/lsh123/xmlsec/issues/43"}, {"name": "USN-3739-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3739-1/"}, {"name": "GLSA-201711-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201711-01"}, {"name": "94347", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94347"}, {"name": "USN-3739-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3739-2/"}, {"name": "[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-9318", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.gnome.org/show_bug.cgi?id=772726", "refsource": "MISC", "url": "https://bugzilla.gnome.org/show_bug.cgi?id=772726"}, {"name": "https://github.com/lsh123/xmlsec/issues/43", "refsource": "MISC", "url": "https://github.com/lsh123/xmlsec/issues/43"}, {"name": "USN-3739-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3739-1/"}, {"name": "GLSA-201711-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201711-01"}, {"name": "94347", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94347"}, {"name": "USN-3739-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3739-2/"}, {"name": "[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T02:50:36.929Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.gnome.org/show_bug.cgi?id=772726"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lsh123/xmlsec/issues/43"}, {"name": "USN-3739-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/3739-1/"}, {"name": "GLSA-201711-01", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201711-01"}, {"name": "94347", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94347"}, {"name": "USN-3739-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/3739-2/"}, {"name": "[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-611", "lang": "en", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-04T16:39:51.276284Z", "id": "CVE-2016-9318", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-04T16:39:57.327Z"}}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-9318", "datePublished": "2016-11-16T00:00:00.000Z", "dateReserved": "2016-11-14T00:00:00.000Z", "dateUpdated": "2025-12-04T16:39:57.327Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugzilla.gnome.org/show_bug.cgi?id=772726", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/lsh123/xmlsec/issues/43", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://usn.ubuntu.com/3739-1/", "name": "USN-3739-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/201711-01", "name": "GLSA-201711-01", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"]}, {"url": "http://www.securityfocus.com/bid/94347", "name": "94347", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"]}, {"url": "https://usn.ubuntu.com/3739-2/", "name": "USN-3739-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html", "name": "[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T02:50:36.929Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2016-9318", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-04T16:39:51.276284Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-04T16:37:12.102Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-11-15T00:00:00.000Z", "references": [{"url": "https://bugzilla.gnome.org/show_bug.cgi?id=772726", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/lsh123/xmlsec/issues/43", "tags": ["x_refsource_MISC"]}, {"url": "https://usn.ubuntu.com/3739-1/", "name": "USN-3739-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"]}, {"url": "https://security.gentoo.org/glsa/201711-01", "name": "GLSA-201711-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"]}, {"url": "http://www.securityfocus.com/bid/94347", "name": "94347", "tags": ["vdb-entry", "x_refsource_BID"]}, {"url": "https://usn.ubuntu.com/3739-2/", "name": "USN-3739-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html", "name": "[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update", "tags": ["mailing-list", "x_refsource_MLIST"]}], "descriptions": [{"lang": "en", "value": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-04-08T22:06:16.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "n/a"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://bugzilla.gnome.org/show_bug.cgi?id=772726", "name": "https://bugzilla.gnome.org/show_bug.cgi?id=772726", "refsource": "MISC"}, {"url": "https://github.com/lsh123/xmlsec/issues/43", "name": "https://github.com/lsh123/xmlsec/issues/43", "refsource": "MISC"}, {"url": "https://usn.ubuntu.com/3739-1/", "name": "USN-3739-1", "refsource": "UBUNTU"}, {"url": "https://security.gentoo.org/glsa/201711-01", "name": "GLSA-201711-01", "refsource": "GENTOO"}, {"url": "http://www.securityfocus.com/bid/94347", "name": "94347", "refsource": "BID"}, {"url": "https://usn.ubuntu.com/3739-2/", "name": "USN-3739-2", "refsource": "UBUNTU"}, {"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html", "name": "[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update", "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2016-9318", "STATE": "PUBLIC", "ASSIGNER": "cve@mitre.org"}}}}, "cveMetadata": {"cveId": "CVE-2016-9318", "state": "PUBLISHED", "dateUpdated": "2025-12-04T16:39:57.327Z", "dateReserved": "2016-11-14T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2016-11-16T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", "matchCriteriaId": "8CC4875D-A4B2-4A7C-B020-7C2E86412B7C", "versionEndIncluding": "2.9.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:xmlsec_project:xmlsec:*:*:*:*:*:*:*:*", "matchCriteriaId": "028F68AA-1521-4D93-B3C7-98D71FCB840F", "versionEndIncluding": "1.2.23", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document."}, {"lang": "es", "value": "libxml2 2.9.4 y versiones anteriores, como se usa en XMLSec 1.2.23 y versiones anteriores y otros productos, no ofrece un indicador que indique directamente que el documento actual puede ser leido pero otros archivos no pueden ser abiertos, lo que facilita a atacantes remotos llevar a cabo ataques XML External Entity (XXE) a trav\u00e9s de un documento manipulado."}], "id": "CVE-2016-9318", "lastModified": "2025-12-04T17:15:51.100", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2016-11-16T00:59:00.180", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94347"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory", "VDB Entry"], "url": "https://bugzilla.gnome.org/show_bug.cgi?id=772726"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/lsh123/xmlsec/issues/43"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201711-01"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3739-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3739-2/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94347"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory", "VDB Entry"], "url": "https://bugzilla.gnome.org/show_bug.cgi?id=772726"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/lsh123/xmlsec/issues/43"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201711-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3739-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3739-2/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2018:2486", "cpe": "cpe:/a:redhat:jboss_core_services:1", "product_name": "Text-Only JBCS", "release_date": "2018-08-16T00:00:00Z"}], "bugzilla": {"description": "libxml2: XML External Entity vulnerability", "id": "1395609", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1395609"}, "csaw": false, "cvss": {"cvss_base_score": "5.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "status": "verified"}, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L", "status": "verified"}, "cwe": "CWE-611", "details": ["libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document."], "mitigation": {"lang": "en:us", "value": "Application parsing untrusted input with libxml2 should be careful to NOT use entity expansion (enabled by XML_PARSE_NOENT) or DTD validation (XML_PARSE_DTDLOAD, XML_PARSE_DTDVALID) on such input."}, "name": "CVE-2016-9318", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "libxml2", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "libxml2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "libxml2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Under investigation", "package_name": "libxml2", "product_name": "Red Hat JBoss Enterprise Web Server 1"}], "public_date": "2016-10-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-9318\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-9318"], "threat_severity": "Moderate"}