CVE-2017-1289 - OpenCVE

IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Ibm	Sdk

Configuration 1 [-]

OR	cpe:2.3:a:ibm:sdk::service_refresh_16_fp41:::java_technology_edition:::
	cpe:2.3:a:ibm:sdk::service_refresh_8_fp41:::java_technology_edition:::
	cpe:2.3:a:ibm:sdk::service_refresh_10_fp1:::java_technology_edition:::
	cpe:2.3:a:ibm:sdk::service_refresh_4_fp1:::java_technology_edition:::
	cpe:2.3:a:ibm:sdk::service_refresh_4_fp2:::java_technology_edition:::

References

Link	Resource
http://www.securityfocus.com/bid/98401	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:1220
https://access.redhat.com/errata/RHSA-2017:1221
https://access.redhat.com/errata/RHSA-2017:1222
https://access.redhat.com/errata/RHSA-2017:3453
https://www.ibm.com/support/docview.wss?uid=swg22002169	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ibm

Published: 2017-05-22T20:00:00

Updated: 2018-01-04T19:57:01

Reserved: 2016-11-30T00:00:00

Link: CVE-2017-1289

JSON object: View

NVD Information

Status : Modified

Published: 2017-05-22T20:29:00.313

Modified: 2018-01-05T02:31:29.573

Link: CVE-2017-1289

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"containers": {"cna": {"affected": [{"product": "Runtimes for Java Technology", "vendor": "IBM Corporation", "versions": [{"status": "affected", "version": "6.0, 6.1, 7.0, 7.1, 8.0"}]}], "datePublic": "2017-05-08T00:00:00", "descriptions": [{"lang": "en", "value": "IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150."}], "problemTypes": [{"descriptions": [{"description": "Obtain Information", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"name": "RHSA-2017:1221", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1221"}, {"name": "RHSA-2017:1220", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1220"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.ibm.com/support/docview.wss?uid=swg22002169"}, {"name": "RHSA-2017:1222", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1222"}, {"name": "98401", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/98401"}, {"name": "RHSA-2017:3453", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:3453"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "ID": "CVE-2017-1289", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Runtimes for Java Technology", "version": {"version_data": [{"version_value": "6.0, 6.1, 7.0, 7.1, 8.0"}]}}]}, "vendor_name": "IBM Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Obtain Information"}]}]}, "references": {"reference_data": [{"name": "RHSA-2017:1221", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1221"}, {"name": "RHSA-2017:1220", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1220"}, {"name": "https://www.ibm.com/support/docview.wss?uid=swg22002169", "refsource": "CONFIRM", "url": "https://www.ibm.com/support/docview.wss?uid=swg22002169"}, {"name": "RHSA-2017:1222", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1222"}, {"name": "98401", "refsource": "BID", "url": "http://www.securityfocus.com/bid/98401"}, {"name": "RHSA-2017:3453", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:3453"}]}}}}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2017-1289", "datePublished": "2017-05-22T20:00:00", "dateReserved": "2016-11-30T00:00:00", "dateUpdated": "2018-01-04T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:sdk:*:service_refresh_16_fp41:*:*:java_technology_edition:*:*:*", "matchCriteriaId": "CD06C8C9-F372-447B-BACF-FFF285FA752B", "versionEndIncluding": "6", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:sdk:*:service_refresh_8_fp41:*:*:java_technology_edition:*:*:*", "matchCriteriaId": "433DD25E-7F4E-4A13-B1C2-6D42E9C6F543", "versionEndIncluding": "6r1", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:sdk:*:service_refresh_10_fp1:*:*:java_technology_edition:*:*:*", "matchCriteriaId": "A5A902B3-8747-4185-BA40-F2F6E93340B0", "versionEndIncluding": "7", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:sdk:*:service_refresh_4_fp1:*:*:java_technology_edition:*:*:*", "matchCriteriaId": "7E1CBA89-77F9-4E73-B22C-D9B7566B0335", "versionEndIncluding": "7r1", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:sdk:*:service_refresh_4_fp2:*:*:java_technology_edition:*:*:*", "matchCriteriaId": "DA657C59-DF17-496C-B7CB-16F8A594430A", "versionEndIncluding": "8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150."}, {"lang": "es", "value": "SDK de IBM, Java Technology Edition es vulnerable a un error de inyecci\u00f3n XML External Entity (XXE) al procesar datos XML. Un atacante remoto podr\u00eda explotar esta vulnerabilidad para exponer informaci\u00f3n altamente confidencial o consumir recursos de memoria. ID de IBM X-Force: 125150."}], "id": "CVE-2017-1289", "lastModified": "2018-01-05T02:31:29.573", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-05-22T20:29:00.313", "references": [{"source": "psirt@us.ibm.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/98401"}, {"source": "psirt@us.ibm.com", "url": "https://access.redhat.com/errata/RHSA-2017:1220"}, {"source": "psirt@us.ibm.com", "url": "https://access.redhat.com/errata/RHSA-2017:1221"}, {"source": "psirt@us.ibm.com", "url": "https://access.redhat.com/errata/RHSA-2017:1222"}, {"source": "psirt@us.ibm.com", "url": "https://access.redhat.com/errata/RHSA-2017:3453"}, {"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ibm.com/support/docview.wss?uid=swg22002169"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}