Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2014-0171 (GCVE-0-2014-0171)
Vulnerability from cvelistv5 – Published: 2015-01-15 15:00 – Updated: 2024-08-06 09:05
VLAI
EPSS
Summary
XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://rhn.redhat.com/errata/RHSA-2015-0034.html | vendor-advisoryx_refsource_REDHAT |
| https://issues.jboss.org/browse/TEIID-2911 | x_refsource_CONFIRM |
Date Public
2015-01-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:05:39.067Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2015:0034",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0034.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.jboss.org/browse/TEIID-2911"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-01-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-01-15T13:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2015:0034",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0034.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.jboss.org/browse/TEIID-2911"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-0171",
"datePublished": "2015-01-15T15:00:00.000Z",
"dateReserved": "2013-12-03T00:00:00.000Z",
"dateUpdated": "2024-08-06T09:05:39.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2014-0171",
"date": "2026-05-27",
"epss": "0.00379",
"percentile": "0.59532"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_data_virtualization:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"6.0.0\", \"matchCriteriaId\": \"BA2761ED-A2E4-4364-A1B4-B2262CDEE56D\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:odata4j_project:odata4j:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CA178CD8-5D96-4A9C-918E-4C123FB471AE\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de entidad externa XML (XXE) en StaxXMLFactoryProvider2 en Odata4j, usado en Red Hat JBoss Data Virtualization anterior a 6.0.0 parche 4, permite a atacantes remotos leer archivos arbitrarios a trav\\u00e9s de peticiones modificadas a un endpoint REST.\"}]",
"evaluatorComment": "CWE-611: Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)",
"id": "CVE-2014-0171",
"lastModified": "2024-11-21T02:01:33.283",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2015-01-15T15:59:00.060",
"references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0034.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://issues.jboss.org/browse/TEIID-2911\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0034.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://issues.jboss.org/browse/TEIID-2911\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2014-0171\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2015-01-15T15:59:00.060\",\"lastModified\":\"2026-05-06T22:30:45.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de entidad externa XML (XXE) en StaxXMLFactoryProvider2 en Odata4j, usado en Red Hat JBoss Data Virtualization anterior a 6.0.0 parche 4, permite a atacantes remotos leer archivos arbitrarios a trav\u00e9s de peticiones modificadas a un endpoint REST.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_data_virtualization:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"6.0.0\",\"matchCriteriaId\":\"BA2761ED-A2E4-4364-A1B4-B2262CDEE56D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:odata4j_project:odata4j:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CA178CD8-5D96-4A9C-918E-4C123FB471AE\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-0034.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://issues.jboss.org/browse/TEIID-2911\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-0034.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://issues.jboss.org/browse/TEIID-2911\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]}],\"evaluatorComment\":\"CWE-611: Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)\"}}"
}
}
CNVD-2015-00324
Vulnerability from cnvd - Published: 2015-01-15
VLAI
Title
odata4j XML外部实体注入漏洞
Description
odata4j是一个新的开源工具包。
odata4j XML存在外部实体注入漏洞,攻击者可以利用此漏洞获取敏感信息。
Severity
中
Patch Name
odata4j XML外部实体注入漏洞的补丁
Patch Description
odata4j是一个新的开源工具包。
odata4j XML存在外部实体注入漏洞,攻击者可以利用此漏洞获取敏感信息。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
用户可以联系供应商获得补丁信息: http://odata4j.org/
Reference
http://www.securityfocus.com/bid/72027
Impacted products
| Name | Odata4j Odata4j |
|---|
{
"bids": {
"bid": {
"bidNumber": "72027"
}
},
"cves": {
"cve": {
"cveNumber": "CVE-2014-0171"
}
},
"description": "odata4j\u662f\u4e00\u4e2a\u65b0\u7684\u5f00\u6e90\u5de5\u5177\u5305\u3002\r\n\r\nodata4j XML\u5b58\u5728\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
"discovererName": "David Jorm of Red Hat Product Security",
"formalWay": "\u7528\u6237\u53ef\u4ee5\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://odata4j.org/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2015-00324",
"openTime": "2015-01-15",
"patchDescription": "odata4j\u662f\u4e00\u4e2a\u65b0\u7684\u5f00\u6e90\u5de5\u5177\u5305\u3002\r\n\r\nodata4j XML\u5b58\u5728\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "odata4j XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Odata4j Odata4j"
},
"referenceLink": "http://www.securityfocus.com/bid/72027",
"serverity": "\u4e2d",
"submitTime": "2015-01-14",
"title": "odata4j XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e"
}
FKIE_CVE-2014-0171
Vulnerability from fkie_nvd - Published: 2015-01-15 15:59 - Updated: 2026-05-06 22:30
Severity
Summary
XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | jboss_data_virtualization | * | |
| odata4j_project | odata4j | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_data_virtualization:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BA2761ED-A2E4-4364-A1B4-B2262CDEE56D",
"versionEndIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:odata4j_project:odata4j:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CA178CD8-5D96-4A9C-918E-4C123FB471AE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint."
},
{
"lang": "es",
"value": "Vulnerabilidad de entidad externa XML (XXE) en StaxXMLFactoryProvider2 en Odata4j, usado en Red Hat JBoss Data Virtualization anterior a 6.0.0 parche 4, permite a atacantes remotos leer archivos arbitrarios a trav\u00e9s de peticiones modificadas a un endpoint REST."
}
],
"evaluatorComment": "CWE-611: Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)",
"id": "CVE-2014-0171",
"lastModified": "2026-05-06T22:30:45.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-01-15T15:59:00.060",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0034.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "https://issues.jboss.org/browse/TEIID-2911"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0034.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://issues.jboss.org/browse/TEIID-2911"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-GQ3W-XQF6-838R
Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27
VLAI
Details
XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint.
{
"affected": [],
"aliases": [
"CVE-2014-0171"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-01-15T15:59:00Z",
"severity": "MODERATE"
},
"details": "XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint.",
"id": "GHSA-gq3w-xqf6-838r",
"modified": "2022-05-13T01:27:35Z",
"published": "2022-05-13T01:27:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0171"
},
{
"type": "WEB",
"url": "https://issues.jboss.org/browse/TEIID-2911"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0034.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GSD-2014-0171
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-0171",
"description": "XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint.",
"id": "GSD-2014-0171",
"references": [
"https://access.redhat.com/errata/RHSA-2015:0034"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2014-0171"
],
"details": "XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint.",
"id": "GSD-2014-0171",
"modified": "2023-12-13T01:22:43.901621Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-0171",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://rhn.redhat.com/errata/RHSA-2015-0034.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0034.html"
},
{
"name": "https://issues.jboss.org/browse/TEIID-2911",
"refsource": "MISC",
"url": "https://issues.jboss.org/browse/TEIID-2911"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_data_virtualization:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "6.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:odata4j_project:odata4j:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-0171"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.jboss.org/browse/TEIID-2911",
"refsource": "CONFIRM",
"tags": [
"Exploit"
],
"url": "https://issues.jboss.org/browse/TEIID-2911"
},
{
"name": "RHSA-2015:0034",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0034.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2020-03-26T19:33Z",
"publishedDate": "2015-01-15T15:59Z"
}
}
}
RHSA-2015:0034
Vulnerability from csaf_redhat - Published: 2015-01-12 17:32 - Updated: 2026-05-14 22:17Summary
Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.0.0 security update
Severity
Moderate
Notes
Topic: Red Hat JBoss Data Virtualization 6.0.0 roll up patch 4, which fixes three
security issues and various bugs, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details: Red Hat JBoss Data Virtualization is a lean data integration solution that
provides easy, real-time, and unified data access across disparate sources
to multiple applications and users. JBoss Data Virtualization makes data
spread across physically distinct systems—such as multiple databases, XML
files, and even Hadoop systems—appear as a set of tables in a local
database.
This roll up patch serves as a cumulative upgrade for Red Hat JBoss Data
Virtualization 6.0.0. It includes various bug fixes, which are listed in
the README file included with the patch files.
The following security issues are also fixed with this release:
It was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a
REST endpoint was deployed, a remote attacker could submit a request
containing an external XML entity that, when resolved, allowed that
attacker to read files on the application server in the context of the user
running that server. (CVE-2014-0171)
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)
It was found that the security audit functionality logged request
parameters in plain text. This may have caused passwords to be included in
the audit log files when using BASIC or FORM-based authentication. A local
attacker with access to audit log files could possibly use this flaw to
obtain application or server authentication credentials. (CVE-2014-0058)
The CVE-2014-0171 issue was discovered by David Jorm of Red Hat Product
Security; the CVE-2013-2035 issue was discovered by Florian Weimer of Red
Hat Product Security.
All users of Red Hat JBoss Data Virtualization 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this roll up patch.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.
3.3 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Data Virtualization 6.0
Red Hat / Red Hat JBoss Data Virtualization
|
cpe:/a:redhat:jboss_data_virtualization:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.
1.9 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Data Virtualization 6.0
Red Hat / Red Hat JBoss Data Virtualization
|
cpe:/a:redhat:jboss_data_virtualization:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
It was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a REST endpoint was deployed, a remote attacker could submit a request containing an external XML entity that, when resolved, allowed that attacker to read files on the application server in the context of the user running that server.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Data Virtualization 6.0
Red Hat / Red Hat JBoss Data Virtualization
|
cpe:/a:redhat:jboss_data_virtualization:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
19 references
Acknowledgments
Red Hat Product Security Team
Florian Weimer
Red Hat Product Security
David Jorm
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Data Virtualization 6.0.0 roll up patch 4, which fixes three\nsecurity issues and various bugs, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Data Virtualization is a lean data integration solution that\nprovides easy, real-time, and unified data access across disparate sources\nto multiple applications and users. JBoss Data Virtualization makes data\nspread across physically distinct systems\u2014such as multiple databases, XML\nfiles, and even Hadoop systems\u2014appear as a set of tables in a local\ndatabase.\n\nThis roll up patch serves as a cumulative upgrade for Red Hat JBoss Data\nVirtualization 6.0.0. It includes various bug fixes, which are listed in\nthe README file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a\nREST endpoint was deployed, a remote attacker could submit a request\ncontaining an external XML entity that, when resolved, allowed that\nattacker to read files on the application server in the context of the user\nrunning that server. (CVE-2014-0171)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp when the native libraries were bundled in a JAR file, and no custom\nlibrary path was specified. A local attacker could overwrite these native\nlibraries with malicious versions during the window between when HawtJNI\nwrites them and when they are executed. (CVE-2013-2035)\n\nIt was found that the security audit functionality logged request\nparameters in plain text. This may have caused passwords to be included in\nthe audit log files when using BASIC or FORM-based authentication. A local\nattacker with access to audit log files could possibly use this flaw to\nobtain application or server authentication credentials. (CVE-2014-0058)\n\nThe CVE-2014-0171 issue was discovered by David Jorm of Red Hat Product\nSecurity; the CVE-2013-2035 issue was discovered by Florian Weimer of Red\nHat Product Security.\n\nAll users of Red Hat JBoss Data Virtualization 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this roll up patch.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:0034",
"url": "https://access.redhat.com/errata/RHSA-2015:0034"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.0.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.0.0"
},
{
"category": "external",
"summary": "958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "external",
"summary": "1063641",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063641"
},
{
"category": "external",
"summary": "1085555",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1085555"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0034.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.0.0 security update",
"tracking": {
"current_release_date": "2026-05-14T22:17:57+00:00",
"generator": {
"date": "2026-05-14T22:17:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2015:0034",
"initial_release_date": "2015-01-12T17:32:39+00:00",
"revision_history": [
{
"date": "2015-01-12T17:32:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:35:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:17:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Data Virtualization 6.0",
"product": {
"name": "Red Hat JBoss Data Virtualization 6.0",
"product_id": "Red Hat JBoss Data Virtualization 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_virtualization:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Virtualization"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Florian Weimer"
],
"organization": "Red Hat Product Security Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-2035",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2013-04-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "958618"
}
],
"notes": [
{
"category": "description",
"text": "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2035"
},
{
"category": "external",
"summary": "RHBZ#958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2035",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035"
}
],
"release_date": "2013-05-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-01-12T17:32:39+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Data Virtualization installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Data Virtualization server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:0034"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "HawtJNI: predictable temporary file name leading to local arbitrary code execution"
},
{
"cve": "CVE-2014-0058",
"discovery_date": "2014-02-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1063641"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "EAP6: Plain text password logging during security audit",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0058"
},
{
"category": "external",
"summary": "RHBZ#1063641",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063641"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0058",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0058"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0058",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0058"
}
],
"release_date": "2014-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-01-12T17:32:39+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Data Virtualization installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Data Virtualization server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:0034"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "EAP6: Plain text password logging during security audit"
},
{
"acknowledgments": [
{
"names": [
"David Jorm"
],
"organization": "Red Hat Product Security",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-0171",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2014-03-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1085555"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a REST endpoint was deployed, a remote attacker could submit a request containing an external XML entity that, when resolved, allowed that attacker to read files on the application server in the context of the user running that server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Odata4j: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0171"
},
{
"category": "external",
"summary": "RHBZ#1085555",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1085555"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0171",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0171"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0171",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0171"
}
],
"release_date": "2015-01-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-01-12T17:32:39+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Data Virtualization installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Data Virtualization server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:0034"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Odata4j: XML eXternal Entity (XXE) flaw"
}
]
}
RHSA-2015_0034
Vulnerability from csaf_redhat - Published: 2015-01-12 17:32 - Updated: 2024-11-22 08:27Summary
Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.0.0 security update
Severity
Moderate
Notes
Topic: Red Hat JBoss Data Virtualization 6.0.0 roll up patch 4, which fixes three
security issues and various bugs, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details: Red Hat JBoss Data Virtualization is a lean data integration solution that
provides easy, real-time, and unified data access across disparate sources
to multiple applications and users. JBoss Data Virtualization makes data
spread across physically distinct systems—such as multiple databases, XML
files, and even Hadoop systems—appear as a set of tables in a local
database.
This roll up patch serves as a cumulative upgrade for Red Hat JBoss Data
Virtualization 6.0.0. It includes various bug fixes, which are listed in
the README file included with the patch files.
The following security issues are also fixed with this release:
It was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a
REST endpoint was deployed, a remote attacker could submit a request
containing an external XML entity that, when resolved, allowed that
attacker to read files on the application server in the context of the user
running that server. (CVE-2014-0171)
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)
It was found that the security audit functionality logged request
parameters in plain text. This may have caused passwords to be included in
the audit log files when using BASIC or FORM-based authentication. A local
attacker with access to audit log files could possibly use this flaw to
obtain application or server authentication credentials. (CVE-2014-0058)
The CVE-2014-0171 issue was discovered by David Jorm of Red Hat Product
Security; the CVE-2013-2035 issue was discovered by Florian Weimer of Red
Hat Product Security.
All users of Red Hat JBoss Data Virtualization 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this roll up patch.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.
3.3 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Data Virtualization 6.0
Red Hat / Red Hat JBoss Data Virtualization
|
cpe:/a:redhat:jboss_data_virtualization:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.
1.9 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Data Virtualization 6.0
Red Hat / Red Hat JBoss Data Virtualization
|
cpe:/a:redhat:jboss_data_virtualization:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
It was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a REST endpoint was deployed, a remote attacker could submit a request containing an external XML entity that, when resolved, allowed that attacker to read files on the application server in the context of the user running that server.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Data Virtualization 6.0
Red Hat / Red Hat JBoss Data Virtualization
|
cpe:/a:redhat:jboss_data_virtualization:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
19 references
Acknowledgments
Red Hat Product Security Team
Florian Weimer
Red Hat Product Security
David Jorm
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Data Virtualization 6.0.0 roll up patch 4, which fixes three\nsecurity issues and various bugs, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Data Virtualization is a lean data integration solution that\nprovides easy, real-time, and unified data access across disparate sources\nto multiple applications and users. JBoss Data Virtualization makes data\nspread across physically distinct systems\u2014such as multiple databases, XML\nfiles, and even Hadoop systems\u2014appear as a set of tables in a local\ndatabase.\n\nThis roll up patch serves as a cumulative upgrade for Red Hat JBoss Data\nVirtualization 6.0.0. It includes various bug fixes, which are listed in\nthe README file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a\nREST endpoint was deployed, a remote attacker could submit a request\ncontaining an external XML entity that, when resolved, allowed that\nattacker to read files on the application server in the context of the user\nrunning that server. (CVE-2014-0171)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp when the native libraries were bundled in a JAR file, and no custom\nlibrary path was specified. A local attacker could overwrite these native\nlibraries with malicious versions during the window between when HawtJNI\nwrites them and when they are executed. (CVE-2013-2035)\n\nIt was found that the security audit functionality logged request\nparameters in plain text. This may have caused passwords to be included in\nthe audit log files when using BASIC or FORM-based authentication. A local\nattacker with access to audit log files could possibly use this flaw to\nobtain application or server authentication credentials. (CVE-2014-0058)\n\nThe CVE-2014-0171 issue was discovered by David Jorm of Red Hat Product\nSecurity; the CVE-2013-2035 issue was discovered by Florian Weimer of Red\nHat Product Security.\n\nAll users of Red Hat JBoss Data Virtualization 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this roll up patch.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:0034",
"url": "https://access.redhat.com/errata/RHSA-2015:0034"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.0.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.0.0"
},
{
"category": "external",
"summary": "958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "external",
"summary": "1063641",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063641"
},
{
"category": "external",
"summary": "1085555",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1085555"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0034.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.0.0 security update",
"tracking": {
"current_release_date": "2024-11-22T08:27:44+00:00",
"generator": {
"date": "2024-11-22T08:27:44+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2015:0034",
"initial_release_date": "2015-01-12T17:32:39+00:00",
"revision_history": [
{
"date": "2015-01-12T17:32:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:35:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T08:27:44+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Data Virtualization 6.0",
"product": {
"name": "Red Hat JBoss Data Virtualization 6.0",
"product_id": "Red Hat JBoss Data Virtualization 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_virtualization:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Virtualization"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Florian Weimer"
],
"organization": "Red Hat Product Security Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-2035",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2013-04-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "958618"
}
],
"notes": [
{
"category": "description",
"text": "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2035"
},
{
"category": "external",
"summary": "RHBZ#958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2035",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035"
}
],
"release_date": "2013-05-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-01-12T17:32:39+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Data Virtualization installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Data Virtualization server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:0034"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "HawtJNI: predictable temporary file name leading to local arbitrary code execution"
},
{
"cve": "CVE-2014-0058",
"discovery_date": "2014-02-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1063641"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "EAP6: Plain text password logging during security audit",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0058"
},
{
"category": "external",
"summary": "RHBZ#1063641",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063641"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0058",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0058"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0058",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0058"
}
],
"release_date": "2014-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-01-12T17:32:39+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Data Virtualization installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Data Virtualization server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:0034"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "EAP6: Plain text password logging during security audit"
},
{
"acknowledgments": [
{
"names": [
"David Jorm"
],
"organization": "Red Hat Product Security",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-0171",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2014-03-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1085555"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a REST endpoint was deployed, a remote attacker could submit a request containing an external XML entity that, when resolved, allowed that attacker to read files on the application server in the context of the user running that server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Odata4j: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0171"
},
{
"category": "external",
"summary": "RHBZ#1085555",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1085555"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0171",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0171"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0171",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0171"
}
],
"release_date": "2015-01-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-01-12T17:32:39+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Data Virtualization installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Data Virtualization server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:0034"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Odata4j: XML eXternal Entity (XXE) flaw"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…