CVE Vulnerabilities

CVE-2016-4483

Deserialization of Untrusted Data

Published: Apr 11, 2017 | Modified: Apr 20, 2025
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
4.3 MODERATE
AV:N/AC:M/Au:N/C:N/I:N/A:P
RedHat/V3
Ubuntu
LOW

The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.

Weakness

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Software

Name Vendor Start Version End Version
Libxml2 Xmlsoft * 2.9.4 (excluding)
Text-Only JBCS RedHat *
Libxml2 Ubuntu esm-infra-legacy/trusty *
Libxml2 Ubuntu esm-infra/xenial *
Libxml2 Ubuntu precise *
Libxml2 Ubuntu trusty *
Libxml2 Ubuntu trusty/esm *
Libxml2 Ubuntu upstream *
Libxml2 Ubuntu vivid/stable-phone-overlay *
Libxml2 Ubuntu wily *
Libxml2 Ubuntu xenial *

Potential Mitigations

  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.

References