CVE-2016-3674 Vulnerability in maven package com.thoughtworks.xstream:xstream

Description

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html

http://rhn.redhat.com/errata/RHSA-2016-2822.html

http://rhn.redhat.com/errata/RHSA-2016-2823.html

http://www.debian.org/security/2016/dsa-3575

http://www.openwall.com/lists/oss-security/2016/03/25/8

http://www.openwall.com/lists/oss-security/2016/03/28/1

http://www.securityfocus.com/bid/85381

http://www.securitytracker.com/id/1036419

http://x-stream.github.io/changes.html#1.4.9

https://github.com/x-stream/xstream/issues/25

Related Vulnerabilities

CVE-2021-23421 Vulnerability in npm package merge-change

CVE-2018-1000854 Vulnerability in maven package org.esigate:esigate-core

CVE-2019-12043 Vulnerability in maven package org.webjars.bowergithub.jonschlinkert:remarkable

CVE-2017-1000386 Vulnerability in maven package org.biouno:uno-choice

CVE-2022-31191 Vulnerability in maven package org.dspace:dspace-jspui

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N