During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/101052 | Third Party Advisory VDB Entry |
http://www.securitytracker.com/id/1039444 | Third Party Advisory VDB Entry |
https://issues.apache.org/jira/browse/JELLY-293 | Issue Tracking Vendor Advisory Patch |
https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73%40%3Cdev.commons.apache.org%3E |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2017-09-27T00:00:00
Updated: 2017-09-29T09:57:01
Reserved: 2017-08-07T00:00:00
Link: CVE-2017-12621
JSON object: View
NVD Information
Status : Modified
Published: 2017-09-28T01:29:01.293
Modified: 2023-11-07T02:38:26.773
Link: CVE-2017-12621
JSON object: View
Redhat Information
No data.
CWE