Oracle PeopleSoft Enterprise PeopleTools 8.56/8.57/8.58 XML Messaging xml external entity reference
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.9 | $0-$5k | 0.00 |
Summary
A vulnerability has been found in Oracle PeopleSoft Enterprise PeopleTools 8.56/8.57/8.58 and classified as critical. This issue affects some unknown processing of the component XML Messaging. This manipulation causes an unknown weakness. This vulnerability is tracked as CVE-2017-1000061. The attack is restricted to local execution. No exploit exists. The affected component should be upgraded.
Details
A vulnerability was found in Oracle PeopleSoft Enterprise PeopleTools 8.56/8.57/8.58 (Enterprise Resource Planning Software). It has been declared as critical. Affected by this vulnerability is an unknown part of the component XML Messaging. The CWE definition for the vulnerability is CWE-611. The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. As an impact it is known to affect confidentiality, and availability.
The weakness was disclosed 04/21/2021 as Oracle Critical Patch Update Advisory - April 2021. The advisory is shared at oracle.com. This vulnerability is known as CVE-2017-1000061. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available.
The commercial vulnerability scanner Qualys is able to test this issue with plugin 351092 (Amazon Linux Security Advisory for xmlsec1: ALAS-2017-890).
Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.oracle.com
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.1VulDB Meta Temp Score: 6.9
VulDB Base Score: 7.1
VulDB Temp Score: 6.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.1
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Xml external entity referenceCWE: CWE-611 / CWE-610
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Timeline
07/10/2017 🔍04/21/2021 🔍
04/21/2021 🔍
04/23/2021 🔍
05/03/2025 🔍
Sources
Vendor: oracle.comAdvisory: Oracle Critical Patch Update Advisory - April 2021
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2017-1000061 (🔍)
GCVE (CVE): GCVE-0-2017-1000061
GCVE (VulDB): GCVE-100-173617
Entry
Created: 04/23/2021 06:40Updated: 05/03/2025 22:31
Changes: 04/23/2021 06:40 (39), 04/26/2021 12:48 (6), 04/26/2021 12:57 (18), 09/13/2024 13:40 (17), 05/03/2025 22:31 (3)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.