2112766 – (CVE-2016-3709) CVE-2016-3709 libxml2: Incorrect server side include parsing can lead to XSS

Bug 2112766 (CVE-2016-3709) - CVE-2016-3709 libxml2: Incorrect server side include parsing can lead to XSS

Summary: CVE-2016-3709 libxml2: Incorrect server side include parsing can lead to XSS

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-3709
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2121133 2112780 2112781 2120780 2120781 2120782 2121134
Blocks:	2112769
TreeView+	depends on / blocked

Reported:	2022-08-01 05:31 UTC by Sandipan Roy
Modified:	2024-03-19 02:28 UTC (History)
CC List:	48 users (show)
Fixed In Version:	libxml2 2.9.11
Doc Type:	If docs needed, set a value
Doc Text:	A Cross-site scripting (XSS) vulnerability was found in libxml2. A specially crafted input, when serialized and re-parsed by the libxml2 library, will result in a document with element attributes that did not exist in the original document.
Clone Of:
Environment:
Last Closed:	2022-12-04 05:33:14 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:7715	0	None	None	None	2022-11-08 10:15:38 UTC
Red Hat Product Errata	RHSA-2023:4767	0	None	None	None	2023-08-28 12:58:07 UTC

Description Sandipan Roy 2022-08-01 05:31:37 UTC

Possible cross-site scripting vulnerability in libxml after commit 960f0e2.

https://mail.gnome.org/archives/xml/2018-January/msg00010.html

Comment 1 Sandipan Roy 2022-08-01 05:45:02 UTC

Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2112780]


Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 2112781]

Comment 4 Guilherme de Almeida Suckevicz 2022-08-23 17:48:44 UTC

Reference:
https://bugzilla.gnome.org/show_bug.cgi?id=769760

Upstream patch:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f

Comment 6 Guilherme de Almeida Suckevicz 2022-08-24 14:45:49 UTC

Created qt5-qtwebengine tracking bugs for this issue:

Affects: epel-8 [bug 2121133]
Affects: fedora-all [bug 2121134]

Comment 9 errata-xmlrpc 2022-11-08 10:15:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7715 https://access.redhat.com/errata/RHSA-2022:7715

Comment 10 Product Security DevOps Team 2022-12-04 05:33:10 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-3709

Comment 11 errata-xmlrpc 2023-08-28 12:58:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4767 https://access.redhat.com/errata/RHSA-2023:4767

Note You need to log in before you can comment on or make changes to this bug.

bdettelb
caswilli
csutherl
dffrench
dhalasz
dking
dkuc
erik-fedora
fjansen
gzaronik
jary
jburrell
jclere
jkoehler
jplesnik
jwong
jwon
kaycoth
kde-sig
kevin
kshier
ktietz
micjohns
mturk
ngough
ohudlick
peholase
pjindal
plodge
psegedy
rdieter
rfreiman
rgodfrey
rh-spice-bugs
rjones
stcannon
sthirugn
szappis
tcarlin
tfister
tkasparek
tmeszaro
tohughes
tsasak
veillard
vkrizan
vkumar
vmugicag