Vulnerability Details : CVE-2016-4463
Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows context-dependent attackers to cause a denial of service via a deeply nested DTD.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2016-4463
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xerces-c\+\+:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-4463
0.75%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-4463
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-4463
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-4463
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020
-
http://www.securitytracker.com/id/1036211
Apache Xerces DTD Parsing Stack Overflow Lets Remote Users Cause the Target Application to Crash - SecurityTracker
-
http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt
-
http://www.securityfocus.com/archive/1/538784/100/0/threaded
SecurityFocus
-
https://issues.apache.org/jira/browse/XERCESC-2069
[XERCESC-2069] Stack overflow in 3.1.3 - ASF JIRA
-
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&version=12336069
Release Notes - ASF JIRA
-
http://lists.opensuse.org/opensuse-updates/2016-09/msg00013.html
openSUSE-SU-2016:2232-1: moderate: Security update for xerces-c
-
https://access.redhat.com/errata/RHSA-2018:3506
RHSA-2018:3506 - Security Advisory - Red Hat Customer Portal
-
http://lists.opensuse.org/opensuse-updates/2016-07/msg00053.html
openSUSE-SU-2016:1808-1: moderate: Security update for xerces-c
-
http://www.securityfocus.com/bid/91501
Apache Xerces-C CVE-2016-4463 Stack Buffer Overflow Vulnerability
-
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CPU July 2018
-
https://access.redhat.com/errata/RHSA-2018:3335
RHSA-2018:3335 - Security Advisory - Red Hat Customer Portal
-
http://packetstormsecurity.com/files/137714/Apache-Xerces-C-XML-Parser-Crash.html
Apache Xerces-C XML Parser Crash ≈ Packet Storm
-
https://www.debian.org/security/2016/dsa-3610
Debian -- Security Information -- DSA-3610-1 xerces-c
-
https://access.redhat.com/errata/RHSA-2018:3514
RHSA-2018:3514 - Security Advisory - Red Hat Customer Portal
Jump to