CVE-2008-0628 - OpenCVE

The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external general entities" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Complete

AV:N/AC:M/Au:N/C:N/I:P/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Sun	Jdk Jre

Configuration 1 [-]

OR	cpe:2.3:a:sun:jdk:1.6:::::::*
	cpe:2.3:a:sun:jre::update3::::::*

References

Link	Resource
http://dev2dev.bea.com/pub/advisory/277
http://scary.beasts.org/security/CESA-2007-002.html
http://secunia.com/advisories/28746	Patch Vendor Advisory
http://secunia.com/advisories/29841
http://secunia.com/advisories/29858
http://secunia.com/advisories/30780
http://security.gentoo.org/glsa/glsa-200804-28.xml
http://securityreason.com/securityalert/3621
http://sunsolve.sun.com/search/document.do?assetkey=1-66-231246-1
http://www.gentoo.org/security/en/glsa/glsa-200804-20.xml
http://www.gentoo.org/security/en/glsa/glsa-200806-11.xml
http://www.redhat.com/support/errata/RHSA-2008-0245.html
http://www.securityfocus.com/archive/1/487434/100/0/threaded
http://www.securityfocus.com/bid/27553
http://www.securitytracker.com/id?1019292
http://www.vupen.com/english/advisories/2008/0371
http://www.vupen.com/english/advisories/2008/1252
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9847

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2008-02-06T20:00:00

Updated: 2018-10-15T20:57:01

Reserved: 2008-02-06T00:00:00

Link: CVE-2008-0628

JSON object: View

NVD Information

Status : Modified

Published: 2008-02-06T21:00:00.000

Modified: 2018-10-15T22:02:16.353

Link: CVE-2008-0628

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-02-02T00:00:00", "descriptions": [{"lang": "en", "value": "The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the \"external general entities\" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-15T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "29841", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29841"}, {"name": "RHSA-2008:0245", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://www.redhat.com/support/errata/RHSA-2008-0245.html"}, {"name": "27553", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/27553"}, {"name": "oval:org.mitre.oval:def:9847", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9847"}, {"name": "BEA08-201.00", "tags": ["vendor-advisory", "x_refsource_BEA"], "url": "http://dev2dev.bea.com/pub/advisory/277"}, {"name": "20080202 Sun JRE / JDK bug introduces XXE possibilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/487434/100/0/threaded"}, {"name": "GLSA-200804-28", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200804-28.xml"}, {"name": "28746", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/28746"}, {"name": "3621", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/3621"}, {"name": "29858", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29858"}, {"tags": ["x_refsource_MISC"], "url": "http://scary.beasts.org/security/CESA-2007-002.html"}, {"name": "ADV-2008-1252", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/1252"}, {"name": "30780", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30780"}, {"name": "ADV-2008-0371", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/0371"}, {"name": "231246", "tags": ["vendor-advisory", "x_refsource_SUNALERT"], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-231246-1"}, {"name": "GLSA-200804-20", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://www.gentoo.org/security/en/glsa/glsa-200804-20.xml"}, {"name": "GLSA-200806-11", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://www.gentoo.org/security/en/glsa/glsa-200806-11.xml"}, {"name": "1019292", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1019292"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-0628", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the \"external general entities\" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "29841", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29841"}, {"name": "RHSA-2008:0245", "refsource": "REDHAT", "url": "http://www.redhat.com/support/errata/RHSA-2008-0245.html"}, {"name": "27553", "refsource": "BID", "url": "http://www.securityfocus.com/bid/27553"}, {"name": "oval:org.mitre.oval:def:9847", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9847"}, {"name": "BEA08-201.00", "refsource": "BEA", "url": "http://dev2dev.bea.com/pub/advisory/277"}, {"name": "20080202 Sun JRE / JDK bug introduces XXE possibilities", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/487434/100/0/threaded"}, {"name": "GLSA-200804-28", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-200804-28.xml"}, {"name": "28746", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/28746"}, {"name": "3621", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/3621"}, {"name": "29858", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29858"}, {"name": "http://scary.beasts.org/security/CESA-2007-002.html", "refsource": "MISC", "url": "http://scary.beasts.org/security/CESA-2007-002.html"}, {"name": "ADV-2008-1252", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/1252"}, {"name": "30780", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/30780"}, {"name": "ADV-2008-0371", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/0371"}, {"name": "231246", "refsource": "SUNALERT", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-231246-1"}, {"name": "GLSA-200804-20", "refsource": "GENTOO", "url": "http://www.gentoo.org/security/en/glsa/glsa-200804-20.xml"}, {"name": "GLSA-200806-11", "refsource": "GENTOO", "url": "http://www.gentoo.org/security/en/glsa/glsa-200806-11.xml"}, {"name": "1019292", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1019292"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-0628", "datePublished": "2008-02-06T20:00:00", "dateReserved": "2008-02-06T00:00:00", "dateUpdated": "2018-10-15T20:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sun:jdk:1.6:*:*:*:*:*:*:*", "matchCriteriaId": "8502A8C5-0219-406B-8DAA-BF35BCD6DC94", "vulnerable": true}, {"criteria": "cpe:2.3:a:sun:jre:*:update3:*:*:*:*:*:*", "matchCriteriaId": "EAB2C9C2-F685-450B-9980-553966FC3B63", "versionEndIncluding": "1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the \"external general entities\" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources."}, {"lang": "es", "value": "El c\u00f3digo de an\u00e1lisis sint\u00e1ctico de XML en Sun Java Runtime Environment JDK y JRE 6 actualizaci\u00f3n 3 y anteriores. Procesa referencias a entidades externas incluso cuando la propiedad \"external general entities (entidades generales externas)\" es falsa, lo que permite a atacantes remotos llevar a cabo ataques de entidades externas XML (XXE) y provocar una denegaci\u00f3n de servicio o acceso restringido a recursos."}], "id": "CVE-2008-0628", "lastModified": "2018-10-15T22:02:16.353", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 7.8, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2008-02-06T21:00:00.000", "references": [{"source": "cve@mitre.org", "url": "http://dev2dev.bea.com/pub/advisory/277"}, {"source": "cve@mitre.org", "url": "http://scary.beasts.org/security/CESA-2007-002.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/28746"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/29841"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/29858"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/30780"}, {"source": "cve@mitre.org", "url": "http://security.gentoo.org/glsa/glsa-200804-28.xml"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/3621"}, {"source": "cve@mitre.org", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-231246-1"}, {"source": "cve@mitre.org", "url": "http://www.gentoo.org/security/en/glsa/glsa-200804-20.xml"}, {"source": "cve@mitre.org", "url": "http://www.gentoo.org/security/en/glsa/glsa-200806-11.xml"}, {"source": "cve@mitre.org", "url": "http://www.redhat.com/support/errata/RHSA-2008-0245.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/487434/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/27553"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id?1019292"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2008/0371"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2008/1252"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9847"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}