Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02ZzMzLTgyZ2MtM3B3Nc4AAYbA

Improper Restriction of XML External Entity Reference in Jelly

During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.

Permalink: https://github.com/advisories/GHSA-6g33-82gc-3pw5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02ZzMzLTgyZ2MtM3B3Nc4AAYbA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago


CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-6g33-82gc-3pw5, CVE-2017-12621
References: Blast Radius: 14.3

Affected Packages

maven:commons-jelly:commons-jelly
Dependent packages: 82
Dependent repositories: 29
Downloads:
Affected Version Ranges: <= 1.0
Fixed in: 1.0.1
All affected versions: 1.0.1
All unaffected versions: