CVE-2016-0729
high-risk
Published 2016-04-07
Multiple buffer overflows in (1) internal/XMLReader.cpp, (2) util/XMLURL.cpp, and (3) util/XMLUri.cpp in the XML Parser library in Apache Xerces-C before 3.1.3 allow remote attackers to cause a denial of service (segmentation fault or memory corruption) or possibly execute arbitrary code via a crafted document.
Do I need to act?
!
23.0% chance of exploitation in next 30 days
EPSS score — higher than 77% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (4)
Affected Vendors
References (36)
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182062.html
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182131.html
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182597.html
Third Party Advisory
http://www.debian.org/security/2016/dsa-3493
Vendor Advisory
http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt
Vendor Advisory
https://issues.apache.org/jira/browse/XERCESC-2061
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182062.html
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182131.html
and 16 more references
56
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
14/34 · Moderate
Exposure
10/34 · Low