CVE-2016-8734

high-risk

Published 2017-10-16

Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.

Do I need to act?

12.9% chance of exploitation in next 30 days

EPSS score — higher than 87% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Subversion

Affected Vendors

Apache Debian

References (12)

Third Party Advisory http://www.debian.org/security/2017/dsa-3932

Third Party Advisory http://www.securityfocus.com/bid/94588

Third Party Advisory http://www.securitytracker.com/id/1037361

https://lists.apache.org/thread.html/7798f5cda1b2a3c70db4be77694b12dec8fcc1a441b...

Issue Tracking https://subversion.apache.org/security/CVE-2016-8734-advisory.txt

https://www.oracle.com/security-alerts/cpuoct2020.html

Third Party Advisory http://www.debian.org/security/2017/dsa-3932

Third Party Advisory http://www.securityfocus.com/bid/94588

Third Party Advisory http://www.securitytracker.com/id/1037361

https://lists.apache.org/thread.html/7798f5cda1b2a3c70db4be77694b12dec8fcc1a441b...

Issue Tracking https://subversion.apache.org/security/CVE-2016-8734-advisory.txt

https://www.oracle.com/security-alerts/cpuoct2020.html

/ 100

high-risk

Severity 24/34 · High

Exploitability 12/34 · Low

Exposure 29/34 · Critical