Published: 13/05/2016 Updated: 30/10/2018

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 890

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and previous versions allows context-dependent malicious users to have unspecified impact via an invalid character in an XML document.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache xerces-c\\+\\+
opensuse opensuse 13.2

Debian Bug report logs - #823863 xerces-c: CVE-2016-2099: use-after-free Package: src:xerces-c; Maintainer for src:xerces-c is William Blough <bblough@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 9 May 2016 17:57:02 UTC Severity: grave Tags: patch, security, upstream Found in versio ...

Gustavo Grieco discovered an use-after-free vulnerability in xerces-c, a validating XML parser library for C++, due to not properly handling invalid characters in XML input documents in the DTDScanner For the stable distribution (jessie), this problem has been fixed in version 311-51+deb8u2 For the testing distribution (stretch), this problem ...

NVD-CWE-Other https://issues.apache.org/jira/browse/XERCESC-2066 http://www.openwall.com/lists/oss-security/2016/05/09/7 http://lists.opensuse.org/opensuse-updates/2016-07/msg00016.html http://lists.opensuse.org/opensuse-updates/2016-07/msg00053.html http://lists.opensuse.org/opensuse-updates/2016-09/msg00013.html http://www.debian.org/security/2016/dsa-3579 http://www.securityfocus.com/bid/90502 https://security.gentoo.org/glsa/201612-46 http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823863 https://nvd.nist.gov https://www.debian.org/security/./dsa-3579

CVE-2016-2099

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect