{"id":"CVE-2016-3674","details":"Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.","aliases":["GHSA-rgh3-987h-wpmw"],"modified":"2026-07-08T05:48:11.435291275Z","published":"2016-05-17T14:08:03.607Z","related":["openSUSE-SU-2024:10592-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_STRING","cpes":["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"8.0"},{"last_affected":"8.0"}],"vendor_product":"debian:debian_linux"},{"source":"CPE_STRING","cpes":["cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"22"},{"last_affected":"22"},{"introduced":"23"},{"last_affected":"23"}],"vendor_product":"fedoraproject:fedora"},{"cpes":["cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*"],"source":"CPE_STRING","extracted_events":[{"introduced":"1"},{"last_affected":"1"}],"vendor_product":"redhat:jboss_middleware"}]},"references":[{"type":"ADVISORY","url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html"},{"type":"ADVISORY","url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2822.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2823.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3575"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/03/25/8"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/03/28/1"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/85381"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1036419"},{"type":"ADVISORY","url":"http://x-stream.github.io/changes.html#1.4.9"},{"type":"ADVISORY","url":"https://github.com/x-stream/xstream/issues/25"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/x-stream/xstream","events":[{"introduced":"0"},{"fixed":"f66bbea1b383e705988abf8d06ea9782a73f24d4"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.4.9"}]}}],"versions":["XSTREAM_1_4_5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-3674.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}