CVE-2016-3674
moderate-risk
Published 2016-05-17
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
Do I need to act?
~
4.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (5)
Affected Vendors
References (22)
Broken Link
http://rhn.redhat.com/errata/RHSA-2016-2822.html
Broken Link
http://rhn.redhat.com/errata/RHSA-2016-2823.html
Third Party Advisory
http://www.debian.org/security/2016/dsa-3575
Third Party Advisory
http://www.securityfocus.com/bid/85381
Third Party Advisory
http://www.securitytracker.com/id/1036419
Vendor Advisory
http://x-stream.github.io/changes.html#1.4.9
Vendor Advisory
https://github.com/x-stream/xstream/issues/25
Broken Link
http://rhn.redhat.com/errata/RHSA-2016-2822.html
Broken Link
http://rhn.redhat.com/errata/RHSA-2016-2823.html
Third Party Advisory
http://www.debian.org/security/2016/dsa-3575
Third Party Advisory
http://www.securityfocus.com/bid/85381
Third Party Advisory
http://www.securitytracker.com/id/1036419
and 2 more references
45
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
7/34 · Low
Exposure
12/34 · Low