Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13cDJmLWhyZzItM3I1bc4AATXV
Improper Restriction of XML External Entity Reference in Apache uimaj
In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.
Permalink: https://github.com/advisories/GHSA-wp2f-hrg2-3r5mJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13cDJmLWhyZzItM3I1bc4AATXV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-wp2f-hrg2-3r5m, CVE-2017-15691
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-15691
- https://access.redhat.com/errata/RHSA-2019:1545
- https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79@%3Ccommits.uima.apache.org%3E
- https://uima.apache.org/security_report#CVE-2017-15691
- https://github.com/advisories/GHSA-wp2f-hrg2-3r5m
Affected Packages
maven:org.apache.uima:uimaj-as-core
Dependent packages: 10Dependent repositories: 164
Downloads:
Affected Version Ranges: < 2.10.2
Fixed in: 2.10.2
All affected versions: 2.3.1, 2.4.0, 2.4.2, 2.6.0, 2.8.1, 2.9.0
All unaffected versions: 2.10.2, 2.10.3
maven:org.apache.uima:uimaj-core
Dependent packages: 506Dependent repositories: 589
Downloads:
Affected Version Ranges: >= 3.0.0-alpha, <= 3.0.0-alpha02, < 2.10.2
Fixed in: 3.0.0-beta, 2.10.2
All affected versions: 2.3.1, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.8.1, 2.9.0, 2.10.0, 2.10.1, 3.0.0-alpha, 3.0.0-alpha02
All unaffected versions: 2.10.2, 2.10.3, 2.10.4, 2.11.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.5.0
maven:org.apache.uima:uimafit-core
Dependent packages: 429Dependent repositories: 265
Downloads:
Affected Version Ranges: < 2.4.0
Fixed in: 2.4.0
All affected versions: 2.0.0, 2.1.0, 2.2.0, 2.3.0
All unaffected versions: 2.4.0, 2.5.0, 3.0.0, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.5.0