FKIE_CVE-2014-0191

Vulnerability from fkie_nvd - Published: 2015-01-21 14:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.
References
secalert@redhat.comhttp://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
secalert@redhat.comhttp://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
secalert@redhat.comhttp://rhn.redhat.com/errata/RHSA-2015-0749.html
secalert@redhat.comhttp://www-01.ibm.com/support/docview.wss?uid=swg21678183
secalert@redhat.comhttp://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlPatch, Vendor Advisory
secalert@redhat.comhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
secalert@redhat.comhttp://www.securityfocus.com/bid/67233
secalert@redhat.comhttp://xmlsoft.org/news.html
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1090976
secalert@redhat.comhttps://exchange.xforce.ibmcloud.com/vulnerabilities/93092
secalert@redhat.comhttps://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
secalert@redhat.comhttps://support.apple.com/kb/HT205030
secalert@redhat.comhttps://support.apple.com/kb/HT205031
af854a3a-2127-422b-91ae-364da2661108http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
af854a3a-2127-422b-91ae-364da2661108http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2015-0749.html
af854a3a-2127-422b-91ae-364da2661108http://www-01.ibm.com/support/docview.wss?uid=swg21678183
af854a3a-2127-422b-91ae-364da2661108http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlPatch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/67233
af854a3a-2127-422b-91ae-364da2661108http://xmlsoft.org/news.html
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1090976
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/93092
af854a3a-2127-422b-91ae-364da2661108https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
af854a3a-2127-422b-91ae-364da2661108https://support.apple.com/kb/HT205030
af854a3a-2127-422b-91ae-364da2661108https://support.apple.com/kb/HT205031
Impacted products
Vendor Product Version
oracle fusion_middleware 11.1.1.7.0
oracle fusion_middleware 12.1.2.0.0
oracle fusion_middleware 12.1.3.0.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:fusion_middleware:11.1.1.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E8934DB1-B2A1-4C3B-B000-78826FC45C7C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:fusion_middleware:12.1.2.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4E67774-F4FB-4EA3-A527-92EF41F84248",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:fusion_middleware:12.1.3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "97E1C55E-7A74-40F1-9C52-D84A5F55CD96",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document."
    },
    {
      "lang": "es",
      "value": "La funci\u00f3n xmlParserHandlePEReference en parser.c en libxml2 en versiones anteriores a 2.9.2, como se utiliza en Web Listener en Oracle HTTP Server en Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0 y 12.1.3.0 y otros productos, carga entidades de par\u00e1metro externas independientemente de si la sustituci\u00f3n de entidad o la validaci\u00f3n est\u00e1n habilitadas, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio (consumo de recursos) a trav\u00e9s de un documento XML manipulado."
    }
  ],
  "id": "CVE-2014-0191",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2015-01-21T14:59:00.053",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0749.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21678183"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/67233"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://xmlsoft.org/news.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090976"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/93092"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://support.apple.com/kb/HT205030"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://support.apple.com/kb/HT205031"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0749.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21678183"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/67233"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://xmlsoft.org/news.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090976"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/93092"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.apple.com/kb/HT205030"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.apple.com/kb/HT205031"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.