Vulnerability Details : CVE-2016-5851
python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2016-5851
- cpe:2.3:a:python-openxml_project:python-docx:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-5851
1.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-5851
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2016-5851
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-5851
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FFMOH7ZPOPQWNJGUZOS5LXX4MGNRXXT/
[SECURITY] Fedora 33 Update: python-docx-0.8.11-3.fc33 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XU2WSYRNB7CLBBFCGSX34XHACTA2SWDZ/
[SECURITY] Fedora 34 Update: python-docx-0.8.11-3.fc34 - package-announce - Fedora Mailing-Lists
-
http://www.openwall.com/lists/oss-security/2016/06/28/8
oss-security - Re: CVE request - python-docx 0.8.5 - XXEMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2016/06/28/7
oss-security - CVE request - python-docx 0.8.5 - XXEMailing List;Patch;Third Party Advisory
-
http://www.securityfocus.com/bid/91485
python-docx CVE-2016-5851 XML External Entity Injection VulnerabilityThird Party Advisory;VDB Entry
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FFMOH7ZPOPQWNJGUZOS5LXX4MGNRXXT/
[SECURITY] Fedora 33 Update: python-docx-0.8.11-3.fc33 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://github.com/python-openxml/python-docx/blob/v0.8.6/HISTORY.rst
python-docx/HISTORY.rst at v0.8.6 · python-openxml/python-docx · GitHubPatch;Release Notes;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XU2WSYRNB7CLBBFCGSX34XHACTA2SWDZ/
[SECURITY] Fedora 34 Update: python-docx-0.8.11-3.fc34 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://github.com/python-openxml/python-docx/commit/61b40b161b64173ab8e362aec1fd197948431beb
oxml: don't resolve XML entities in oxml_parser · python-openxml/python-docx@61b40b1 · GitHub
Jump to