CVE-2016-3674 — libxstream-java - security update

Description

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

How to fix CVE-2016-3674

To remediate CVE-2016-3674, upgrade the affected package to a fixed version below.

—upgrade to 1.4.9-1 or later
—upgrade to 1.4.2-1+deb7u1 or later
—upgrade to 1.4.7-2+deb8u1 or later
—upgrade to 1.4.9 or later

Is CVE-2016-3674 being exploited?

Low — EPSS is 4.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 1.4.9-1
from 0, < 1.4.2-1+deb7u1
from 0, < 1.4.7-2+deb8u1
from 0, < 1.4.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (15)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-3674
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-3674
PATCHgithub.com/x-stream/xstream
WEBlists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html