CVE-2016-3674
XML External Entity (XXE) vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2016-3674 About?
This vulnerability is an XML External Entity (XXE) flaw in multiple XStream drivers, allowing remote attackers to read arbitrary files. Successful exploitation can lead to information disclosure or potentially further attacks. Exploitation is relatively easy through specially crafted XML documents.
Affected Software
Technical Details
The vulnerability lies within several XStream drivers (Dom4JDriver, DomDriver, JDomDriver, JDom2Driver, SjsxpDriver, StandardStaxDriver, and WstxDriver) due to their susceptibility to XXE attacks. When these drivers process a maliciously crafted XML document, they may be tricked into including external entities defined by the attacker. By using SYSTEM identifiers in DTD structures within the XML, an attacker can specify local file paths (e.g., file:///etc/passwd) for the external entity, causing the parser to read and embed the content of these files into the XML document, which is then processed and potentially returned to the attacker.
What is the Impact of CVE-2016-3674?
Successful exploitation may allow attackers to read arbitrary files from the server, including sensitive configuration files, source code, or credentials, leading to information disclosure.
What is the Exploitability of CVE-2016-3674?
Exploitation of this XXE vulnerability is of low to moderate complexity, primarily requiring knowledge of XML and DTD syntax. No authentication is required if the vulnerable XStream endpoint is publicly accessible. There are no specific privilege requirements for the initial attack, as it leverages parser functionality. This is a remote vulnerability; an attacker can send a crafted XML document to the vulnerable application over the network. Prerequisites include the application's use of vulnerable XStream drivers to parse attacker-controlled XML input. The likelihood of exploitation increases if input validation on XML documents is insufficient.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-3674?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.9 → Upgrade to 1.4.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://rhn.redhat.com/errata/RHSA-2016-2822.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
- http://www.securityfocus.com/bid/85381
- https://nvd.nist.gov/vuln/detail/CVE-2016-3674
- https://github.com/x-stream/xstream/issues/25
- http://www.securitytracker.com/id/1036419
- http://www.openwall.com/lists/oss-security/2016/03/28/1
- http://www.openwall.com/lists/oss-security/2016/03/25/8
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385
- http://rhn.redhat.com/errata/RHSA-2016-2823.html
What are Similar Vulnerabilities to CVE-2016-3674?
Similar Vulnerabilities: CVE-2021-43859 , CVE-2018-1000844 , CVE-2017-1000487 , CVE-2017-1000486 , CVE-2017-12626
