Apache Xerces Jelly Parser XML File xml external entity reference

entryeditHistoryDiffjsonxmlCTI

A vulnerability was found in Apache Xerces (affected version unknown). It has been declared as critical. Affected by this vulnerability is some unknown processing of the component Jelly Parser. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Field11/20/2019 09:06 AM01/14/2021 03:28 PM01/14/2021 03:32 PM
vendorApacheApacheApache
nameXercesXercesXerces
componentJelly ParserJelly ParserJelly Parser
input_typeXML FileXML FileXML File
cwe611 (XML External Entity)611 (XML External Entity)611 (XML External Entity)
risk222
cvss2_vuldb_basescore7.57.57.5
cvss2_vuldb_tempscore7.57.57.5
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_auNNN
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_nvd_avNNN
cvss2_nvd_acLLL
cvss2_nvd_auNNN
cvss2_nvd_ciPPP
cvss2_nvd_iiPPP
cvss2_nvd_aiPPP
cvss3_meta_basescore8.58.58.5
cvss3_meta_tempscore8.58.58.5
cvss3_vuldb_basescore7.37.37.3
cvss3_vuldb_tempscore7.37.37.3
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
cvss3_nvd_avNNN
cvss3_nvd_acLLL
cvss3_nvd_prNNN
cvss3_nvd_uiNNN
cvss3_nvd_sUUU
cvss3_nvd_cHHH
cvss3_nvd_iHHH
cvss3_nvd_aHHH
date1506556800 (09/28/2017)1506556800 (09/28/2017)1506556800 (09/28/2017)
urlhttps://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73@%3Cdev.commons.apache.org%3Ehttps://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73@%3Cdev.commons.apache.org%3Ehttps://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73@%3Cdev.commons.apache.org%3E
confirm_urlhttps://issues.apache.org/jira/browse/JELLY-293https://issues.apache.org/jira/browse/JELLY-293https://issues.apache.org/jira/browse/JELLY-293
price_0day$5k-$25k$5k-$25k$5k-$25k
cveCVE-2017-12621CVE-2017-12621CVE-2017-12621
cve_assigned150206400015020640001502064000
cve_nvd_published150647040015064704001506470400
cve_nvd_summaryDuring Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.
securityfocus101052101052101052
securityfocus_titleApache Commons Jelly CVE-2017-12621 Security Bypass VulnerabilityApache Commons Jelly CVE-2017-12621 Security Bypass VulnerabilityApache Commons Jelly CVE-2017-12621 Security Bypass Vulnerability
locationWebsiteWebsiteWebsite
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlNDNDND
cvss2_vuldb_rcNDNDND
cvss3_vuldb_eXXX
cvss3_vuldb_rlXXX
cvss3_vuldb_rcXXX
cvss3_nvd_basescore9.89.89.8
discoverydate150647040015064704001506470400
securityfocus_date1506297600 (09/25/2017)1506297600 (09/25/2017)1506297600 (09/25/2017)
securityfocus_classFailure to Handle Exceptional ConditionsFailure to Handle Exceptional ConditionsFailure to Handle Exceptional Conditions
sectracker10394441039444
cvss2_nvd_basescore7.57.5
person_nameLuca Carettoni

Do you need the next level of professionalism?

Upgrade your account now!