{
  "threat_severity" : "Moderate",
  "public_date" : "2016-03-21T00:00:00Z",
  "bugzilla" : {
    "description" : "libxml2: stack exhaustion while parsing xml files in recovery mode",
    "id" : "1319829",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1319829"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:N/A:P",
    "status" : "verified"
  },
  "cwe" : "CWE-674",
  "details" : [ "The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.", "Missing recursive loop detection checks were found in the xmlParserEntityCheck() and xmlStringGetNodeList() functions of libxml2, causing application using the library to crash by stack exhaustion while building the associated data. An attacker able to send XML data to be parsed in recovery mode could launch a Denial of Service on the application." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2016-06-23T00:00:00Z",
    "advisory" : "RHSA-2016:1292",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "libxml2-0:2.7.6-21.el6_8.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2016-06-23T00:00:00Z",
    "advisory" : "RHSA-2016:1292",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "libxml2-0:2.9.1-6.el7_2.3"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2016-12-15T00:00:00Z",
    "advisory" : "RHSA-2016:2957",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "libxml2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat JBoss Core Services",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 3",
    "fix_state" : "Will not fix",
    "package_name" : "libxml2",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-3627\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-3627" ],
  "name" : "CVE-2016-3627",
  "csaw" : false
}