CVE-2017-15691

CWE-611 — XML External Entity (XXE)9 documents7 sources

Severity

6.5MEDIUM

EPSS

0.8%

top 26.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Uima-as Apache Uimaducc Apache Uimafit +2 more

Timeline

PublishedApr 26

Latest updateMay 14

Description

In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages9 packages

▶NVDapache/uimaj< 2.10.2+1

▶Mavenorg.apache.uima:uimaj-core3.0.0-alpha — 3.0.0-beta+1

▶Mavenorg.apache.uima:uimaj-as-core< 2.10.2

▶NVDapache/uimafit< 2.4.0

▶NVDapache/uimaducc< 2.2.2

🔴Vulnerability Details

OSV

Improper Restriction of XML External Entity Reference in Apache uimaj↗2022-05-14

▶

GHSA

Improper Restriction of XML External Entity Reference in Apache uimaj↗2022-05-14

▶

OSV

CVE-2017-15691: In Apache uimaj prior to 2↗2018-04-26

▶

CVEList

CVE-2017-15691: In Apache uimaj prior to 2↗2018-04-26

▶

📋Vendor Advisories

Red Hat

uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code↗2018-04-27

▶

Debian

CVE-2017-15691: uimaj - In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apa...↗2017

▶

💬Community

Bugzilla

CVE-2017-15691 uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code↗2018-04-27

▶

Bugzilla

CVE-2017-15691 uimaj: uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code [fedora-all]↗2018-04-27

▶