CVE-2014-2053
published 2014-06-04CVE-2014-2053: getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of…
PriorityP341high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
4.68%
90.6th percentile
getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
Affected
81 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-getid3 | < php-getid3 1.9.7-2 (bookworm) | php-getid3 1.9.7-2 (bookworm) |
| debian | wordpress | < php-getid3 1.9.7-2 (bookworm) | php-getid3 1.9.7-2 (bookworm) |
| getid3 | getid3 | <= 1.9.7 | — |
| getid3 | getid3 | — | — |
| getid3 | getid3 | — | — |
| getid3 | getid3 | — | — |
| getid3 | getid3 | — | — |
| getid3 | getid3 | — | — |
| getid3 | getid3 | — | — |
| getid3 | getid3 | — | — |
| james-heinrich | getid3 | >= 0 < 1.9.9 | 1.9.9 |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
getID3 is vulnerable to XML External Entity (XXE)
osv·2022-05-17
CVE-2014-2053 [HIGH] getID3 is vulnerable to XML External Entity (XXE)
getID3 is vulnerable to XML External Entity (XXE)
getID3() before 1.9.9, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
GHSA
getID3 is vulnerable to XML External Entity (XXE)
ghsa·2022-05-17
CVE-2014-2053 [HIGH] CWE-611 getID3 is vulnerable to XML External Entity (XXE)
getID3 is vulnerable to XML External Entity (XXE)
getID3() before 1.9.9, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
GHSA
GHSA-rwqh-hfr8-59c3: The getid3 library in MediaWiki before 1
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2014-9487 [HIGH] CWE-611 GHSA-rwqh-hfr8-59c3: The getid3 library in MediaWiki before 1
The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.
OSV
CVE-2014-2053: getID3() before 1
osv·2014-06-04·CVSS 7.5
CVE-2014-2053 [HIGH] CVE-2014-2053: getID3() before 1
getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
Debian
CVE-2014-2053: php-getid3 - getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before...
vendor_debian·2014·CVSS 7.5
CVE-2014-2053 [HIGH] CVE-2014-2053: php-getid3 - getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before...
getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
Scope: local
bookworm: resolved (fixed in 1.9.7-2)
bullseye: resolved (fixed in 1.9.7-2)
forky: resolved (fixed in 1.9.7-2)
sid: resolved (fixed in 1.9.7-2)
trixie: resolved (fixed in 1.9.7-2)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-9475 CVE-2014-9476 CVE-2014-9477 CVE-2014-9478 CVE-2014-9479 CVE-2014-9480 CVE-2014-9481 CVE-2014-9487 mediawiki: multiple vulnerabilities
bugzilla·2014-12-18·CVSS 7.5
CVE-2014-9475 [HIGH] CVE-2014-9475 CVE-2014-9476 CVE-2014-9477 CVE-2014-9478 CVE-2014-9479 CVE-2014-9480 CVE-2014-9481 CVE-2014-9487 mediawiki: multiple vulnerabilities
CVE-2014-9475 CVE-2014-9476 CVE-2014-9477 CVE-2014-9478 CVE-2014-9479 CVE-2014-9480 CVE-2014-9481 CVE-2014-9487 mediawiki: multiple vulnerabilities
Upstream changelog mentions a whole bunch of vulnerabilities fixed in latest releases:
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
which could lead to xss. Permission to edit MediaWiki namespace is required
to exploit this.
* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
$wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
part of its name.
== Security fixes in extensions ==
* (bug T77624) [SECURITY] Extension:Listings: missing validation in the
'name' and 'url' parameters.
* (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input
as wikitext and show
Bugzilla
CVE-2014-2053 php-getid3: XML External Entity (XXE) flaw [epel-6]
bugzilla·2014-08-14·CVSS 7.5
CVE-2014-2053 [HIGH] CVE-2014-2053 php-getid3: XML External Entity (XXE) flaw [epel-6]
CVE-2014-2053 php-getid3: XML External Entity (XXE) flaw [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for php-getid3: see blocks bug list for ful
Bugzilla
CVE-2014-2053 php-getid3: XML External Entity (XXE) flaw
bugzilla·2014-08-14·CVSS 7.5
CVE-2014-2053 [HIGH] CVE-2014-2053 php-getid3: XML External Entity (XXE) flaw
CVE-2014-2053 php-getid3: XML External Entity (XXE) flaw
The upstream getID3() 1.9.8 release fixed an XML External Entity (XXE) flaw:
http://sourceforge.net/projects/getid3/files/getID3%28%29%201.x/1.9.8/
Upstream fix:
https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
References:
http://seclists.org/oss-sec/2014/q3/301
Discussion:
Created php-getid3 tracking bugs for this issue:
Affects: fedora-all [bug 1130007]
Affects: epel-6 [bug 1130009]
---
php-getid3-1.9.12-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat
Bugzilla
CVE-2014-2053 php-getid3: XML External Entity (XXE) flaw [fedora-all]
bugzilla·2014-08-14·CVSS 7.5
CVE-2014-2053 [HIGH] CVE-2014-2053 php-getid3: XML External Entity (XXE) flaw [fedora-all]
CVE-2014-2053 php-getid3: XML External Entity (XXE) flaw [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora.
http://getid3.sourceforge.net/source/changelog.txthttp://owncloud.org/about/security/advisories/oC-SA-2014-006/http://secunia.com/advisories/58002http://www.debian.org/security/2014/dsa-3001https://wordpress.org/news/2014/08/wordpress-3-9-2/http://getid3.sourceforge.net/source/changelog.txthttp://owncloud.org/about/security/advisories/oC-SA-2014-006/http://secunia.com/advisories/58002http://www.debian.org/security/2014/dsa-3001https://wordpress.org/news/2014/08/wordpress-3-9-2/
2014-06-04
Published