CVE-2016-3674
HIGH7.5EPSS 4.2%libxstream-java - security update
發布日:2020/6/30修改日:2026/4/28
描述
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
受影響套件(4)
- Debian/libxstream-javafrom 0, < 1.4.9-1
- Debian/libxstream-javafrom 0, < 1.4.2-1+deb7u1
- Debian/libxstream-javafrom 0, < 1.4.7-2+deb8u1
- Maven/com.thoughtworks.xstream:xstreamfrom 0, < 1.4.9
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(15)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-3674
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2016-3674
- PATCHhttps://github.com/x-stream/xstream
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2016-2822.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2016-2823.html
- WEBhttps://github.com/x-stream/xstream/issues/25
- WEBhttps://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385
- WEBhttp://www.debian.org/security/2016/dsa-3575
- WEBhttp://www.openwall.com/lists/oss-security/2016/03/25/8
- WEBhttp://www.openwall.com/lists/oss-security/2016/03/28/1
- WEBhttp://www.securityfocus.com/bid/85381
- WEBhttp://www.securitytracker.com/id/1036419
- WEBhttp://x-stream.github.io/changes.html#1.4.9