CVE-2017-12621

{"id": "CVE-2017-12621", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2017-09-28T01:29:01.293", "references": [{"url": "http://www.securityfocus.com/bid/101052", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security@apache.org"}, {"url": "http://www.securitytracker.com/id/1039444", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security@apache.org"}, {"url": "https://issues.apache.org/jira/browse/JELLY-293", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73%40%3Cdev.commons.apache.org%3E", "source": "security@apache.org"}, {"url": "http://www.securityfocus.com/bid/101052", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securitytracker.com/id/1039444", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://issues.apache.org/jira/browse/JELLY-293", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73%40%3Cdev.commons.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a \"SYSTEM\" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1."}, {"lang": "es", "value": "Durante el an\u00e1lisis sint\u00e1ctico de archivos Jelly (xml) con Apache Xerces, si se declara una entidad de tipo de archivo personalizado con una entidad \"SYSTEM\" con una URL y esa entidad se emplea en el cuerpo del archivo Jelly, el analizador sint\u00e1ctico intentar\u00e1 conectarse a dicha URL durante la creaci\u00f3n de la instancia del an\u00e1lisis. Esto podr\u00eda permitir ataques XEE (XML External Entity) en Apache Commons Jelly en versiones anteriores a la 1.0.1."}], "lastModified": "2024-11-21T03:09:54.870", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:commons_jelly:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "41EE6AE8-F18D-4CDD-BA96-4BA1ED170622", "versionEndExcluding": "1.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}