Apache Xerces Jelly Parser XML File xml external entity reference

entryeditHistoryDiffjsonxmlCTI

A vulnerability was found in Apache Xerces (affected version unknown). It has been declared as critical. Affected by this vulnerability is some unknown processing of the component Jelly Parser. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

User

Field

Commit Conf

Approve Conf

IDCommitedUserFieldChangeRemarksModeratedReasonC
1082023401/14/2021VulD...person_nameLuca Carettonisecurityfocus.com01/14/2021accepted70
1082023301/14/2021VulD...cvss2_nvd_basescore7.5nist.gov01/14/2021accepted90
1082023201/14/2021VulD...price_0day$5k-$25ksee documentation01/14/2021accepted90
1082023101/14/2021VulD...sectracker1039444cve.mitre.org01/14/2021accepted70
714374411/20/2019VulD...securityfocus_classFailure to Handle Exceptional Conditionssecurityfocus.com11/20/2019accepted100
714374311/20/2019VulD...securityfocus_date1506297600 (09/25/2017)securityfocus.com11/20/2019accepted100
714369711/20/2019VulD...discoverydate150647040011/20/2019accepted100
714375309/28/2017VulD...cvss3_nvd_basescore9.8nist.gov09/28/2017accepted90
714375209/28/2017VulD...cvss3_vuldb_rcX09/28/2017accepted90
714375109/28/2017VulD...cvss3_vuldb_rlX09/28/2017accepted90
714375009/28/2017VulD...cvss3_vuldb_eX09/28/2017accepted90
714374909/28/2017VulD...cvss2_vuldb_rcND09/28/2017accepted90
714374809/28/2017VulD...cvss2_vuldb_rlND09/28/2017accepted90
714374709/28/2017VulD...cvss2_vuldb_eND09/28/2017accepted90
714374609/28/2017VulD...locationWebsite09/28/2017accepted90
714374509/28/2017VulD...securityfocus_titleApache Commons Jelly CVE-2017-12621 Security Bypass Vulnerabilitysecurityfocus.com09/28/2017accepted100
714374209/28/2017VulD...securityfocus101052securityfocus.com09/28/2017accepted100
714374109/28/2017VulD...cve_nvd_summaryDuring Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.mitre.org09/28/2017accepted100
714374009/28/2017VulD...cve_nvd_published1506470400mitre.org09/28/2017accepted100
714373909/28/2017VulD...cve_assigned1502064000mitre.org09/28/2017accepted100

Do you want to use VulDB in your project?

Use the official API to access entries easily!