Vulnerability Details : CVE-2016-15026
A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrading to version 1.18 is able to address this issue. The patch is identified as 8c954e8d9f6f6863729e50105a8abf3f87fff74c. It is recommended to upgrade the affected component. VDB-221486 is the identifier assigned to this vulnerability.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2016-15026
- cpe:2.3:a:dd-plist_project:dd-plist:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-15026
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-15026
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:L/AC:L/Au:S/C:P/I:P/A:P |
3.1
|
6.4
|
VulDB | |
5.3
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
1.8
|
3.4
|
VulDB | |
5.3
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
1.8
|
3.4
|
VulDB | 2024-02-29 |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2016-15026
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: cna@vuldb.com (Primary)
References for CVE-2016-15026
-
https://github.com/3breadt/dd-plist/releases/tag/dd-plist-1.18
Release Release 1.18 · 3breadt/dd-plist · GitHubRelease Notes
-
https://github.com/3breadt/dd-plist/commit/8c954e8d9f6f6863729e50105a8abf3f87fff74c
1) Take steps to guard against external XXE attacks (except, note tha… · 3breadt/dd-plist@8c954e8 · GitHubPatch
-
https://vuldb.com/?id.221486
Login requiredPermissions Required;Third Party Advisory
-
https://vuldb.com/?ctiid.221486
Login requiredPermissions Required;Third Party Advisory
-
https://github.com/3breadt/dd-plist/pull/26
Protect XML parsing against XXE attacks and load DTD from JAR by solind · Pull Request #26 · 3breadt/dd-plist · GitHubIssue Tracking;Patch
Jump to