CVE-2015-0851
published 2015-08-12CVE-2015-0851: XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows…
PriorityP423medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
2.44%
82.3th percentile
XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | xmltooling | < xmltooling 1.5.6-1 (bookworm) | xmltooling 1.5.6-1 (bookworm) |
| xmltooling_project | xmltooling | <= 1.5.4 | — |
| xmltooling_project | xmltooling | >= 0 < 1.5.6-1 | 1.5.6-1 |
| xmltooling_project | xmltooling | >= 0 < 1.5.6-1 | 1.5.6-1 |
| xmltooling_project | xmltooling | >= 0 < 1.5.6-1 | 1.5.6-1 |
| xmltooling_project | xmltooling | >= 0 < 1.5.6-1 | 1.5.6-1 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2px9-x675-rqf5: XMLTooling-C before 1
ghsa_unreviewed·2022-05-17
CVE-2015-0851 [MEDIUM] GHSA-2px9-x675-rqf5: XMLTooling-C before 1
XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data.
OSV
CVE-2015-0851: XMLTooling-C before 1
osv·2015-08-12·CVSS 5.0
CVE-2015-0851 [MEDIUM] CVE-2015-0851: XMLTooling-C before 1
XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data.
Red Hat
xmltooling: incorrect processing of well-formed but invalid XML
vendor_redhat·2015-07-21·CVSS 5.0
CVE-2015-0851 [MEDIUM] CWE-20 xmltooling: incorrect processing of well-formed but invalid XML
xmltooling: incorrect processing of well-formed but invalid XML
XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data.
Package: xmltooling (Red Hat BPM Suite 6) - Affected
Package: xmltooling (Red Hat JBoss BRMS 6) - Affected
Package: xmltooling (Red Hat JBoss Data Grid 6) - Affected
Package: xmltooling (Red Hat JBoss Data Virtualization 6) - Affected
Package: xmltooling (Red Hat JBoss Enterprise Application Platform 6) - Affected
Package: xmltooling (Red Hat JBoss Fuse Service Works 6) - Affected
Package: xmltooling (Red Hat JBoss Operations Network 3) - Affected
Package: xmltooling (Red Hat JBoss P
Debian
CVE-2015-0851: xmltooling - XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider...
vendor_debian·2015·CVSS 5.0
CVE-2015-0851 [MEDIUM] CVE-2015-0851: xmltooling - XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider...
XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data.
Scope: local
bookworm: resolved (fixed in 1.5.6-1)
bullseye: resolved (fixed in 1.5.6-1)
forky: resolved (fixed in 1.5.6-1)
sid: resolved (fixed in 1.5.6-1)
trixie: resolved (fixed in 1.5.6-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-0851 xmltooling: incorrect processing of well-formed but invalid XML
bugzilla·2015-07-30·CVSS 5.0
CVE-2015-0851 [MEDIUM] CVE-2015-0851 xmltooling: incorrect processing of well-formed but invalid XML
CVE-2015-0851 xmltooling: incorrect processing of well-formed but invalid XML
A flaw was found in the way the XMLTooling library parsed certain well-formed but schema-invalid XML inputs. An application using the XMLTooling library could crash when parsing crafted XML inputs.
Additional information:
http://shibboleth.net/community/advisories/secadv_20150721.txt
Upstream patch:
https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900
Discussion:
Created xmltooling tracking bugs for this issue:
Affects: fedora-all [bug 1248506]
Bugzilla
CVE-2015-0851 xmltooling: incorrect processing of well-formed but invalid XML [fedora-all]
bugzilla·2015-07-30·CVSS 5.0
CVE-2015-0851 [MEDIUM] CVE-2015-0851 xmltooling: incorrect processing of well-formed but invalid XML [fedora-all]
CVE-2015-0851 xmltooling: incorrect processing of well-formed but invalid XML [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2013-7397 async-http-client: SSL/TLS certificate verification is disabled under certain conditions
bugzilla·2014-08-26·CVSS 4.3
CVE-2013-7397 [MEDIUM] CVE-2013-7397 async-http-client: SSL/TLS certificate verification is disabled under certain conditions
CVE-2013-7397 async-http-client: SSL/TLS certificate verification is disabled under certain conditions
It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also uses client certificates. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate.
Discussion:
Upstream bug:
https://github.com/AsyncHttpClient/async-http-client/issues/352
---
This issue has been addressed in the following products:
JBoss BPM Suite 6.1.0
Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
---
This issue has been addressed in the following products:
JBoss BRMS 6.1.0
Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
---
async-
http://shibboleth.net/community/advisories/secadv_20150721.txthttp://www.debian.org/security/2015/dsa-3321http://www.securityfocus.com/bid/76134https://git.shibboleth.net/view/?p=cpp-xmltooling.git%3Ba=commitdiff%3Bh=2d795c731e6729309044607154978696a87fd900http://shibboleth.net/community/advisories/secadv_20150721.txthttp://www.debian.org/security/2015/dsa-3321http://www.securityfocus.com/bid/76134https://git.shibboleth.net/view/?p=cpp-xmltooling.git%3Ba=commitdiff%3Bh=2d795c731e6729309044607154978696a87fd900
2015-08-12
Published