CVE-2017-15691

In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://access.redhat.com/errata/RHSA-2019:1545
https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E
https://uima.apache.org/security_report#CVE-2017-15691	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:uimaj::::::::
	cpe:2.3:a:apache:uimaj:3.0.0:::::::*
	cpe:2.3:a:apache:uimaj:3.0.0:alpha::::::
	cpe:2.3:a:apache:uimaj:3.0.0:alpha2::::::

Configuration 2 (hide)

cpe:2.3:a:apache:uima-as:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:apache:uimafit:*:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:apache:uimaducc:*:*:*:*:*:*:*:*

History

07 Nov 2023, 02:40

Type	Values Removed	Values Added
References	{'url': 'https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79@%3Ccommits.uima.apache.org%3E', 'name': '[uima-commits] 20190501 svn commit: r1858489 - in /uima/site/trunk/uima-website: docs/security_report.html xdocs/security_report.xml', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}	() https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E -

Information

Published : 2018-04-26 17:29

Updated : 2024-02-28 16:25

NVD link : CVE-2017-15691

Mitre link : CVE-2017-15691

CVE.ORG link : CVE-2017-15691

JSON object : View

Products Affected

apache

uimafit
uimaj
uima-as
uimaducc

CWE

CWE-611

Improper Restriction of XML External Entity Reference

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2017-15691

6.5^/10

4.0^/10

Attach tags to `CVE-2017-15691`