cvelistv5 - cve-2017-15691

CVE-2017-15691 (GCVE-0-2017-15691)

Vulnerability from cvelistv5 – Published: 2018-04-26 17:00 – Updated: 2024-09-16 23:42

Summary

In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.

Severity ?

No CVSS data available.

CWE

Information Disclosure

Assigner

apache

References

URL

	Vendor	Product	Version
	Apache Software Foundation	Apache UIMA	Affected: uimaj prior to 2.10.2 Affected: uimaj 3.0.0-xxx prior to 3.0.0-beta Affected: uima-as prior to 2.10.2 Affected: uimaFIT prior to 2.4.0 Affected: uimaDUCC prior to 2.2.2

WID-SEC-W-2024-3531

Vulnerability from csaf_certbund - Published: 2024-11-24 23:00 - Updated: 2024-11-24 23:00

Summary

IBM FileNet Content Manager (Apache uimaj): Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

IBM FileNet Content Manager ist die Content-Management-Lösung für die FileNet P8-Plattform.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in IBM FileNet Content Manager ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "IBM FileNet Content Manager ist die Content-Management-L\u00f6sung f\u00fcr die FileNet P8-Plattform.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in IBM FileNet Content Manager ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-3531 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3531.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-3531 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3531"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2024-11-24",
        "url": "https://www.ibm.com/support/pages/node/7173042"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM FileNet Content Manager (Apache uimaj): Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2024-11-24T23:00:00.000+00:00",
      "generator": {
        "date": "2024-11-25T09:11:27.259+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.8"
        }
      },
      "id": "WID-SEC-W-2024-3531",
      "initial_release_date": "2024-11-24T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-11-24T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c5.6.0.0-P8CSS-IF001",
                "product": {
                  "name": "IBM FileNet Content Manager \u003c5.6.0.0-P8CSS-IF001",
                  "product_id": "T039417"
                }
              },
              {
                "category": "product_version",
                "name": "5.6.0.0-P8CSS-IF001",
                "product": {
                  "name": "IBM FileNet Content Manager 5.6.0.0-P8CSS-IF001",
                  "product_id": "T039417-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_content_manager:5.6.0.0-p8css-if001"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c5.5.12.0-P8CSS-IF003",
                "product": {
                  "name": "IBM FileNet Content Manager \u003c5.5.12.0-P8CSS-IF003",
                  "product_id": "T039418"
                }
              },
              {
                "category": "product_version",
                "name": "5.5.12.0-P8CSS-IF003",
                "product": {
                  "name": "IBM FileNet Content Manager 5.5.12.0-P8CSS-IF003",
                  "product_id": "T039418-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_content_manager:5.5.12.0-p8css-if003"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c5.5.8.0-P8CSS-IF008",
                "product": {
                  "name": "IBM FileNet Content Manager \u003c5.5.8.0-P8CSS-IF008",
                  "product_id": "T039419"
                }
              },
              {
                "category": "product_version",
                "name": "5.5.8.0-P8CSS-IF008",
                "product": {
                  "name": "IBM FileNet Content Manager 5.5.8.0-P8CSS-IF008",
                  "product_id": "T039419-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_content_manager:5.5.8.0-p8css-if008"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Component \u003cCP4BA-24.0.0-IF3",
                "product": {
                  "name": "IBM FileNet Content Manager Component \u003cCP4BA-24.0.0-IF3",
                  "product_id": "T039420"
                }
              },
              {
                "category": "product_version",
                "name": "Component CP4BA-24.0.0-IF3",
                "product": {
                  "name": "IBM FileNet Content Manager Component CP4BA-24.0.0-IF3",
                  "product_id": "T039420-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_content_manager:component__cp4ba-24.0.0-if3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Component \u003cCP4BA-22.0.3-IF6",
                "product": {
                  "name": "IBM FileNet Content Manager Component \u003cCP4BA-22.0.3-IF6",
                  "product_id": "T039421"
                }
              },
              {
                "category": "product_version",
                "name": "Component CP4BA-22.0.3-IF6",
                "product": {
                  "name": "IBM FileNet Content Manager Component CP4BA-22.0.3-IF6",
                  "product_id": "T039421-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_content_manager:component__cp4ba-22.0.3-if6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Component \u003cCP4BA-21.0.3-IF37",
                "product": {
                  "name": "IBM FileNet Content Manager Component \u003cCP4BA-21.0.3-IF37",
                  "product_id": "T039422"
                }
              },
              {
                "category": "product_version",
                "name": "Component CP4BA-21.0.3-IF37",
                "product": {
                  "name": "IBM FileNet Content Manager Component CP4BA-21.0.3-IF37",
                  "product_id": "T039422-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_content_manager:component__cp4ba-21.0.3-if37"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FileNet Content Manager"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-15691",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in IBM FileNet Content Manager. Dieser Fehler betrifft die Apache uimaj-Komponente aufgrund einer XML-External-Entity-Erweiterungsfunktion verschiedener XML-Parser. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen, indem er eine speziell gestaltete XML-Datei sendet."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039418",
          "T039417",
          "T039419",
          "T039421",
          "T039420",
          "T039422"
        ]
      },
      "release_date": "2024-11-24T23:00:00.000+00:00",
      "title": "CVE-2017-15691"
    }
  ]
}

FKIE_CVE-2017-15691

Vulnerability from fkie_nvd - Published: 2018-04-26 17:29 - Updated: 2024-11-21 03:15

Severity ?

6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security@apache.org	https://access.redhat.com/errata/RHSA-2019:1545
security@apache.org	https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E
security@apache.org	https://uima.apache.org/security_report#CVE-2017-15691	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2019:1545
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://uima.apache.org/security_report#CVE-2017-15691	Vendor Advisory

Impacted products

Vendor	Product	Version
apache	uimaj	*
apache	uimaj	3.0.0
apache	uimaj	3.0.0
apache	uimaj	3.0.0
apache	uima-as	*
apache	uimafit	*
apache	uimaducc	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:uimaj:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "97A78884-7491-462D-AF97-62DD47C9269C",
              "versionEndExcluding": "2.10.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:uimaj:3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C2EA72A9-1FF4-4A61-8C4B-F79324E8BA6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:uimaj:3.0.0:alpha:*:*:*:*:*:*",
              "matchCriteriaId": "81712F4E-9DDD-4FC0-A0AB-D71995D90B9E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:uimaj:3.0.0:alpha2:*:*:*:*:*:*",
              "matchCriteriaId": "96910D04-F0D5-41CD-92D4-2AE1FF355317",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:uima-as:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F7CC83F8-D102-4B60-9F2D-AA56C93272E5",
              "versionEndExcluding": "2.10.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:uimafit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "72C5A564-55B8-4D54-BA0A-6B311F4AB356",
              "versionEndExcluding": "2.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:uimaducc:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5DB6C37E-E654-42A8-AC6B-A82221FFBDB1",
              "versionEndExcluding": "2.2.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content."
    },
    {
      "lang": "es",
      "value": "En Apache uimaj en versiones anteriores a la 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as anteriores a la 2.10.2, Apache uimaFIT anteriores a la 2.4.0 y Apache uimaDUCC anteriores a la 2.2.2, esta vulnerabilidad est\u00e1 relacionada con una capacidad de expansi\u00f3n XEE (XML External Entity) de varios analizadores sint\u00e1cticos de archivos XML. UIMA, como parte de su configuraci\u00f3n y operaci\u00f3n, puede leer XML desde varios or\u00edgenes, los cuales se pueden corromper para provocar fugas inadvertidas de archivos locales u otro contenido interno."
    }
  ],
  "id": "CVE-2017-15691",
  "lastModified": "2024-11-21T03:15:00.780",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-04-26T17:29:00.293",
  "references": [
    {
      "source": "security@apache.org",
      "url": "https://access.redhat.com/errata/RHSA-2019:1545"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://uima.apache.org/security_report#CVE-2017-15691"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2019:1545"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://uima.apache.org/security_report#CVE-2017-15691"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

RHSA-2019:1545

Vulnerability from csaf_redhat - Published: 2019-06-18 19:52 - Updated: 2025-11-21 18:08

Summary

Red Hat Security Advisory: Red Hat Fuse 7.3.1 security update

Notes

Topic

A micro version update (from 7.3 to 7.3.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

This release of Red Hat Fuse 7.3.1 serves as a replacement for Red Hat Fuse 7.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * bsh2: remote code execution via deserialization (CVE-2016-2510) * log4j: Socket receiver deserialization vulnerability (CVE-2017-5645) * uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code (CVE-2017-15691) * mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258) * thrift: Improper Access Control grants access to files outside the webservers docroot path (CVE-2018-11798) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A micro version update (from 7.3 to 7.3.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Red Hat Fuse 7.3.1 serves as a replacement for Red Hat Fuse 7.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* bsh2: remote code execution via deserialization (CVE-2016-2510)\n\n* log4j: Socket receiver deserialization vulnerability (CVE-2017-5645)\n\n* uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code (CVE-2017-15691)\n\n* mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258)\n\n* thrift: Improper Access Control grants access to files outside the webservers docroot path (CVE-2018-11798)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2019:1545",
        "url": "https://access.redhat.com/errata/RHSA-2019:1545"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.fuse\u0026version=7.3.1",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.fuse\u0026version=7.3.1"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.3",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.3"
      },
      {
        "category": "external",
        "summary": "1310647",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1310647"
      },
      {
        "category": "external",
        "summary": "1443635",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1443635"
      },
      {
        "category": "external",
        "summary": "1572463",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1572463"
      },
      {
        "category": "external",
        "summary": "1640615",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1640615"
      },
      {
        "category": "external",
        "summary": "1667188",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1667188"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1545.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Fuse 7.3.1 security update",
    "tracking": {
      "current_release_date": "2025-11-21T18:08:50+00:00",
      "generator": {
        "date": "2025-11-21T18:08:50+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2019:1545",
      "initial_release_date": "2019-06-18T19:52:20+00:00",
      "revision_history": [
        {
          "date": "2019-06-18T19:52:20+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-06-18T19:52:20+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T18:08:50+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Fuse 7.3.1",
                "product": {
                  "name": "Red Hat Fuse 7.3.1",
                  "product_id": "Red Hat Fuse 7.3.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_fuse:7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Fuse"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-2510",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2016-02-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1310647"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bsh2: remote code execution via deserialization",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.3.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-2510"
        },
        {
          "category": "external",
          "summary": "RHBZ#1310647",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1310647"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-2510",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-2510"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2510",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2510"
        },
        {
          "category": "external",
          "summary": "https://github.com/beanshell/beanshell/releases/tag/2.0b6",
          "url": "https://github.com/beanshell/beanshell/releases/tag/2.0b6"
        }
      ],
      "release_date": "2016-02-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-06-18T19:52:20+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.3.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1545"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "bsh2: remote code execution via deserialization"
    },
    {
      "cve": "CVE-2017-5645",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2017-04-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1443635"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "log4j: Socket receiver deserialization vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.3.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-5645"
        },
        {
          "category": "external",
          "summary": "RHBZ#1443635",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1443635"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-5645",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-5645"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5645",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5645"
        }
      ],
      "release_date": "2017-04-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-06-18T19:52:20+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.3.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1545"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "log4j: Socket receiver deserialization vulnerability"
    },
    {
      "cve": "CVE-2017-15691",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2018-04-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1572463"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects the versions of lucene (which contains an embedded copy of uima) as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not include lucene and are not vulnerable to this issue.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.3.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-15691"
        },
        {
          "category": "external",
          "summary": "RHBZ#1572463",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1572463"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-15691",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-15691"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-15691",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15691"
        },
        {
          "category": "external",
          "summary": "https://uima.apache.org/security_report#CVE-2017-15691",
          "url": "https://uima.apache.org/security_report#CVE-2017-15691"
        }
      ],
      "release_date": "2018-04-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-06-18T19:52:20+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.3.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1545"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code"
    },
    {
      "cve": "CVE-2018-3258",
      "discovery_date": "2018-10-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1640615"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Re Hat Satellite does not support using mysql as a back end database, thus the mysql connector is not used in any Satellite installation.\n\nThe package mariadb Java client is now available in Red Hat Software Collections.  It can be installed this way:\n~~~\n  yum-config-manager --enable rhel-server-rhscl-7-rpms\n  yum install rh-mariadb103-mariadb-java-client\n~~~\nThis JDBC driver works fine with both, MariaDB and MySQL servers.  We recommend use of mariadb-java-client over mysql-java-connector where possible.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.3.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-3258"
        },
        {
          "category": "external",
          "summary": "RHBZ#1640615",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1640615"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-3258",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-3258"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3258",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3258"
        },
        {
          "category": "external",
          "summary": "https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#CVE-2018-3258",
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#CVE-2018-3258"
        }
      ],
      "release_date": "2018-10-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-06-18T19:52:20+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.3.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1545"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018)"
    },
    {
      "cve": "CVE-2018-11798",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2019-01-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1667188"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Node.js static web server in Apache Thrift, where it allowed a remote user to access files outside of the set web servers\u0027 docroot path. An attacker could use this flaw to possibly access unauthorized files and sensitive information.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "thrift: Improper Access Control grants access to files outside the  webservers docroot path",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenStack and OpenDaylight:\nThe Java implementation of thrift is used in OpenDaylight by parts of the vpnservice functionality. This flaw refers to the JavaScript (node.js) server for Thrift, which is not used or shipped with OpenDaylight or any other part of Red Hat OpenStack Platform.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.3.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-11798"
        },
        {
          "category": "external",
          "summary": "RHBZ#1667188",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1667188"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-11798",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-11798"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-11798",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11798"
        }
      ],
      "release_date": "2018-10-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-06-18T19:52:20+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.3.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1545"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "thrift: Improper Access Control grants access to files outside the  webservers docroot path"
    },
    {
      "cve": "CVE-2019-17571",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2019-12-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1785616"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "log4j: deserialization of untrusted data in SocketServer",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.3.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-17571"
        },
        {
          "category": "external",
          "summary": "RHBZ#1785616",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17571",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571"
        }
      ],
      "release_date": "2019-12-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-06-18T19:52:20+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.3.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1545"
        },
        {
          "category": "workaround",
          "details": "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "log4j: deserialization of untrusted data in SocketServer"
    }
  ]
}

RHSA-2019_1545

Vulnerability from csaf_redhat - Published: 2019-06-18 19:52 - Updated: 2024-11-22 13:24

Summary

Red Hat Security Advisory: Red Hat Fuse 7.3.1 security update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A micro version update (from 7.3 to 7.3.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Red Hat Fuse 7.3.1 serves as a replacement for Red Hat Fuse 7.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* bsh2: remote code execution via deserialization (CVE-2016-2510)\n\n* log4j: Socket receiver deserialization vulnerability (CVE-2017-5645)\n\n* uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code (CVE-2017-15691)\n\n* mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258)\n\n* thrift: Improper Access Control grants access to files outside the webservers docroot path (CVE-2018-11798)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2019:1545",
        "url": "https://access.redhat.com/errata/RHSA-2019:1545"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.fuse\u0026version=7.3.1",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.fuse\u0026version=7.3.1"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.3",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.3"
      },
      {
        "category": "external",
        "summary": "1310647",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1310647"
      },
      {
        "category": "external",
        "summary": "1443635",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1443635"
      },
      {
        "category": "external",
        "summary": "1572463",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1572463"
      },
      {
        "category": "external",
        "summary": "1640615",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1640615"
      },
      {
        "category": "external",
        "summary": "1667188",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1667188"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_1545.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Fuse 7.3.1 security update",
    "tracking": {
      "current_release_date": "2024-11-22T13:24:25+00:00",
      "generator": {
        "date": "2024-11-22T13:24:25+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2019:1545",
      "initial_release_date": "2019-06-18T19:52:20+00:00",
      "revision_history": [
        {
          "date": "2019-06-18T19:52:20+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-06-18T19:52:20+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T13:24:25+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Fuse 7.3.1",
                "product": {
                  "name": "Red Hat Fuse 7.3.1",
                  "product_id": "Red Hat Fuse 7.3.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_fuse:7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Fuse"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-2510",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2016-02-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1310647"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bsh2: remote code execution via deserialization",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.3.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-2510"
        },
        {
          "category": "external",
          "summary": "RHBZ#1310647",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1310647"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-2510",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-2510"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2510",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2510"
        },
        {
          "category": "external",
          "summary": "https://github.com/beanshell/beanshell/releases/tag/2.0b6",
          "url": "https://github.com/beanshell/beanshell/releases/tag/2.0b6"
        }
      ],
      "release_date": "2016-02-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-06-18T19:52:20+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.3.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1545"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "bsh2: remote code execution via deserialization"
    },
    {
      "cve": "CVE-2017-5645",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2017-04-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1443635"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "log4j: Socket receiver deserialization vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.3.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-5645"
        },
        {
          "category": "external",
          "summary": "RHBZ#1443635",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1443635"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-5645",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-5645"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5645",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5645"
        }
      ],
      "release_date": "2017-04-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-06-18T19:52:20+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.3.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1545"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "log4j: Socket receiver deserialization vulnerability"
    },
    {
      "cve": "CVE-2017-15691",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2018-04-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1572463"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects the versions of lucene (which contains an embedded copy of uima) as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not include lucene and are not vulnerable to this issue.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.3.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-15691"
        },
        {
          "category": "external",
          "summary": "RHBZ#1572463",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1572463"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-15691",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-15691"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-15691",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15691"
        },
        {
          "category": "external",
          "summary": "https://uima.apache.org/security_report#CVE-2017-15691",
          "url": "https://uima.apache.org/security_report#CVE-2017-15691"
        }
      ],
      "release_date": "2018-04-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-06-18T19:52:20+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.3.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1545"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code"
    },
    {
      "cve": "CVE-2018-3258",
      "discovery_date": "2018-10-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1640615"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Re Hat Satellite does not support using mysql as a back end database, thus the mysql connector is not used in any Satellite installation.\n\nThe package mariadb Java client is now available in Red Hat Software Collections.  It can be installed this way:\n\n  # yum-config-manager --enable rhel-server-rhscl-7-rpms\n  # yum install rh-mariadb103-mariadb-java-client\n\nThis JDBC driver works fine with both, MariaDB and MySQL servers.  We recommend use of mariadb-java-client over mysql-java-connector where possible.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.3.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-3258"
        },
        {
          "category": "external",
          "summary": "RHBZ#1640615",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1640615"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-3258",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-3258"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3258",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3258"
        },
        {
          "category": "external",
          "summary": "https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#CVE-2018-3258",
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#CVE-2018-3258"
        }
      ],
      "release_date": "2018-10-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-06-18T19:52:20+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.3.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1545"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018)"
    },
    {
      "cve": "CVE-2018-11798",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2019-01-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1667188"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Node.js static web server in Apache Thrift, where it allowed a remote user to access files outside of the set web servers\u0027 docroot path. An attacker could use this flaw to possibly access unauthorized files and sensitive information.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "thrift: Improper Access Control grants access to files outside the  webservers docroot path",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenStack and OpenDaylight:\nThe Java implementation of thrift is used in OpenDaylight by parts of the vpnservice functionality. This flaw refers to the JavaScript (node.js) server for Thrift, which is not used or shipped with OpenDaylight or any other part of Red Hat OpenStack Platform.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.3.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-11798"
        },
        {
          "category": "external",
          "summary": "RHBZ#1667188",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1667188"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-11798",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-11798"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-11798",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11798"
        }
      ],
      "release_date": "2018-10-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-06-18T19:52:20+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.3.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1545"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "thrift: Improper Access Control grants access to files outside the  webservers docroot path"
    },
    {
      "cve": "CVE-2019-17571",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2019-12-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1785616"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "log4j: deserialization of untrusted data in SocketServer",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.3.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-17571"
        },
        {
          "category": "external",
          "summary": "RHBZ#1785616",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17571",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571"
        }
      ],
      "release_date": "2019-12-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-06-18T19:52:20+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.3.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:1545"
        },
        {
          "category": "workaround",
          "details": "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout",
          "product_ids": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Fuse 7.3.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "log4j: deserialization of untrusted data in SocketServer"
    }
  ]
}

GHSA-WP2F-HRG2-3R5M

Vulnerability from github – Published: 2022-05-14 00:58 – Updated: 2022-07-01 19:32

Summary

Improper Restriction of XML External Entity Reference in Apache uimaj

Details

Severity ?

6.5 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.uima:uimafit-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.uima:uimaj-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.0-alpha02"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.uima:uimaj-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-alpha"
            },
            {
              "fixed": "3.0.0-beta"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.uima:uimaj-as-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-15691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-01T19:32:51Z",
    "nvd_published_at": "2018-04-26T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.",
  "id": "GHSA-wp2f-hrg2-3r5m",
  "modified": "2022-07-01T19:32:51Z",
  "published": "2022-05-14T00:58:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15691"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1545"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79@%3Ccommits.uima.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://uima.apache.org/security_report#CVE-2017-15691"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in  Apache uimaj"
}

CNVD-2018-09566

Vulnerability from cnvd - Published: 2018-05-16

Title

多款Apache产品信息泄露漏洞

Description

Apache UIMA是美国阿帕奇（Apache）软件基金会的一套用于分析非结构化内容（文本、视频和音频等）的框架。uimaj等都是其中提供不同功能的组件。多款Apache产品中存在安全漏洞。攻击者可利用该漏洞获取本地文件或其他内部内容。

Severity

高

Patch Name

多款Apache产品信息泄露漏洞的补丁

Patch Description

Apache UIMA是美国阿帕奇（Apache）软件基金会的一套用于分析非结构化内容（文本、视频和音频等）的框架。uimaj等都是其中提供不同功能的组件。多款Apache产品中存在安全漏洞。攻击者可利用该漏洞获取本地文件或其他内部内容。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://uima.apache.org/security_report#CVE-2017-15691

Reference

https://uima.apache.org/security_report#CVE-2017-15691

Impacted products

Name
['Apache uimaj <2.10.2', 'Apache uimaj 3.0.0-xxx，<3.0.0-beta', 'Apache uima-as <2.10.2', 'Apache uimaDUCC <2.2.2', 'Apache uimaFIT <2.4.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-15691"
    }
  },
  "description": "Apache UIMA\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u7528\u4e8e\u5206\u6790\u975e\u7ed3\u6784\u5316\u5185\u5bb9\uff08\u6587\u672c\u3001\u89c6\u9891\u548c\u97f3\u9891\u7b49\uff09\u7684\u6846\u67b6\u3002uimaj\u7b49\u90fd\u662f\u5176\u4e2d\u63d0\u4f9b\u4e0d\u540c\u529f\u80fd\u7684\u7ec4\u4ef6\u3002\r\n\r\n\u591a\u6b3eApache\u4ea7\u54c1\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u672c\u5730\u6587\u4ef6\u6216\u5176\u4ed6\u5185\u90e8\u5185\u5bb9\u3002",
  "discovererName": "Joern Kottmann",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://uima.apache.org/security_report#CVE-2017-15691",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-09566",
  "openTime": "2018-05-16",
  "patchDescription": "Apache UIMA\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u7528\u4e8e\u5206\u6790\u975e\u7ed3\u6784\u5316\u5185\u5bb9\uff08\u6587\u672c\u3001\u89c6\u9891\u548c\u97f3\u9891\u7b49\uff09\u7684\u6846\u67b6\u3002uimaj\u7b49\u90fd\u662f\u5176\u4e2d\u63d0\u4f9b\u4e0d\u540c\u529f\u80fd\u7684\u7ec4\u4ef6\u3002\r\n\r\n\u591a\u6b3eApache\u4ea7\u54c1\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u672c\u5730\u6587\u4ef6\u6216\u5176\u4ed6\u5185\u90e8\u5185\u5bb9\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eApache\u4ea7\u54c1\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache uimaj \u003c2.10.2",
      "Apache uimaj 3.0.0-xxx\uff0c\u003c3.0.0-beta",
      "Apache uima-as \u003c2.10.2",
      "Apache uimaDUCC \u003c2.2.2",
      "Apache uimaFIT \u003c2.4.0"
    ]
  },
  "referenceLink": "https://uima.apache.org/security_report#CVE-2017-15691",
  "serverity": "\u9ad8",
  "submitTime": "2018-04-28",
  "title": "\u591a\u6b3eApache\u4ea7\u54c1\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

GSD-2017-15691

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2017-15691

Aliases

CVE-2017-15691

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-15691",
    "description": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.",
    "id": "GSD-2017-15691",
    "references": [
      "https://access.redhat.com/errata/RHSA-2019:1545"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-15691"
      ],
      "details": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.",
      "id": "GSD-2017-15691",
      "modified": "2023-12-13T01:20:58.774890Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "DATE_PUBLIC": "2018-04-26T00:00:00",
        "ID": "CVE-2017-15691",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache UIMA",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "uimaj prior to 2.10.2"
                        },
                        {
                          "version_value": "uimaj 3.0.0-xxx prior to 3.0.0-beta"
                        },
                        {
                          "version_value": "uima-as prior to 2.10.2"
                        },
                        {
                          "version_value": "uimaFIT prior to 2.4.0"
                        },
                        {
                          "version_value": "uimaDUCC prior to 2.2.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Information Disclosure"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://uima.apache.org/security_report#CVE-2017-15691",
            "refsource": "CONFIRM",
            "url": "https://uima.apache.org/security_report#CVE-2017-15691"
          },
          {
            "name": "[uima-commits] 20190501 svn commit: r1858489 - in /uima/site/trunk/uima-website: docs/security_report.html xdocs/security_report.xml",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79@%3Ccommits.uima.apache.org%3E"
          },
          {
            "name": "RHSA-2019:1545",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2019:1545"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,2.4.0)",
          "affected_versions": "All versions before 2.4.0",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-611",
            "CWE-937"
          ],
          "date": "2022-07-01",
          "description": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.",
          "fixed_versions": [
            "2.4.0"
          ],
          "identifier": "CVE-2017-15691",
          "identifiers": [
            "GHSA-wp2f-hrg2-3r5m",
            "CVE-2017-15691"
          ],
          "not_impacted": "All versions starting from 2.4.0",
          "package_slug": "maven/org.apache.uima/uimafit-core",
          "pubdate": "2022-05-14",
          "solution": "Upgrade to version 2.4.0 or above.",
          "title": "Improper Restriction of XML External Entity Reference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2017-15691",
            "https://access.redhat.com/errata/RHSA-2019:1545",
            "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79@%3Ccommits.uima.apache.org%3E",
            "https://uima.apache.org/security_report#CVE-2017-15691",
            "https://github.com/advisories/GHSA-wp2f-hrg2-3r5m"
          ],
          "uuid": "e3ab708f-034d-4c45-ab13-eede4a894f2c"
        },
        {
          "affected_range": "(,2.10.2)",
          "affected_versions": "All versions before 2.10.2",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-611",
            "CWE-937"
          ],
          "date": "2022-07-01",
          "description": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.",
          "fixed_versions": [
            "2.10.2"
          ],
          "identifier": "CVE-2017-15691",
          "identifiers": [
            "GHSA-wp2f-hrg2-3r5m",
            "CVE-2017-15691"
          ],
          "not_impacted": "All versions starting from 2.10.2",
          "package_slug": "maven/org.apache.uima/uimaj-as-core",
          "pubdate": "2022-05-14",
          "solution": "Upgrade to version 2.10.2 or above.",
          "title": "Improper Restriction of XML External Entity Reference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2017-15691",
            "https://access.redhat.com/errata/RHSA-2019:1545",
            "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79@%3Ccommits.uima.apache.org%3E",
            "https://uima.apache.org/security_report#CVE-2017-15691",
            "https://github.com/advisories/GHSA-wp2f-hrg2-3r5m"
          ],
          "uuid": "75bd31a1-a07d-4270-95ea-d86b19dc29ae"
        },
        {
          "affected_range": "(,2.10.2),[3.0.0]",
          "affected_versions": "All versions before 2.10.2, version 3.0.0",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-611",
            "CWE-937"
          ],
          "date": "2019-06-19",
          "description": "This vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.",
          "fixed_versions": [
            "2.10.2",
            "3.0.1"
          ],
          "identifier": "CVE-2017-15691",
          "identifiers": [
            "CVE-2017-15691"
          ],
          "not_impacted": "All versions starting from 2.10.2 before 3.0.0, all versions after 3.0.0",
          "package_slug": "maven/org.apache.uima/uimaj-core",
          "pubdate": "2018-04-26",
          "solution": "Upgrade to versions 2.10.2, 3.0.1 or above.",
          "title": "Improper Restriction of XML External Entity Reference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2017-15691",
            "https://uima.apache.org/security_report#CVE-2017-15691"
          ],
          "uuid": "783b03e3-8d78-4828-8bdb-98a448f73212"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:uimaj:3.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:uimaj:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.10.2",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:uimaj:3.0.0:alpha:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:uimaj:3.0.0:alpha2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:uima-as:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.10.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:uimafit:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:uimaducc:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.2.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2017-15691"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-611"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://uima.apache.org/security_report#CVE-2017-15691",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://uima.apache.org/security_report#CVE-2017-15691"
            },
            {
              "name": "[uima-commits] 20190501 svn commit: r1858489 - in /uima/site/trunk/uima-website: docs/security_report.html xdocs/security_report.xml",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79@%3Ccommits.uima.apache.org%3E"
            },
            {
              "name": "RHSA-2019:1545",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2019:1545"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2019-06-19T00:15Z",
      "publishedDate": "2018-04-26T17:29Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-15691 (GCVE-0-2017-15691)

WID-SEC-W-2024-3531

FKIE_CVE-2017-15691

RHSA-2019:1545

RHSA-2019_1545

GHSA-WP2F-HRG2-3R5M

CNVD-2018-09566

GSD-2017-15691

Tags

Sightings

Nomenclature