CVE-2008-0628 — XML External Entity (XXE) Injection in JRE

CWE-2645 documents5 sources

Severity

7.8HIGHNVD

EPSS

6.8%

top 8.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SUN JRE SUN JDK

Timeline

PublishedFeb 6

Latest updateMay 1

Description

The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external general entities" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources.

CVSS vector

AV:N/AC:M/C:N/I:P/A:CExploitability: 8.6 | Impact: 7.8

Affected Packages2 packages

▶NVDsun/jre1.6.0

▶NVDsun/jdk1.6

Patches

Patch: secunia.com ↗Patch: secunia.com ↗

🔴Vulnerability Details

GHSA

GHSA-878m-jp48-9823: The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external g↗2022-05-01

▶

CVEList

CVE-2008-0628: The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external g↗2008-02-06

▶

📋Vendor Advisories

Red Hat

java-1.6.0 default external entity processing↗2008-01-31

▶

💬Community

Bugzilla

CVE-2008-0628 java-1.6.0 default external entity processing↗2008-02-04

▶