Denial of Service Vulnerability in Expat XML Parser by Expat Project
CVE-2016-5300

7.5HIGH

Key Information:

Vendor
Canonical
Status
Ubuntu Linux
Debian Linux
Vendor
CVE Published:
16 June 2016

Summary

The Expat XML parser suffers from a vulnerability that stems from inadequate entropy used during hash initialization. This weakness allows attackers to exploit crafted identifiers within XML documents, leading to substantial CPU consumption and resulting in denial of service. This vulnerability highlights the importance of randomness in cryptographic operations and the ongoing risks posed by incomplete patches, as this issue relates to an earlier vulnerability addressed in CVE-2012-0876. Organizations using Expat should remain vigilant and apply necessary updates to safeguard against such exploits.

References

https://www.tenable.com/security/tns-2016-20
x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpuju...
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2016/06/04/4
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.