csaf_suse - suse-su-2021:0323-1

SUSE-SU-2021:0323-1

Vulnerability from csaf_suse - Published: 2021-02-08 09:30 - Updated: 2021-02-08 09:30

Summary

Security update for nutch-core

Notes

Title of the patch

Security update for nutch-core

Description of the patch

This update for nutch-core fixes the following issue: - CVE-2021-23901: fixed an XML external entity (XXE) injection in `DmozParser` (bsc#1181356)

Patchnames

SUSE-2021-323,SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-323

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for nutch-core",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for nutch-core fixes the following issue:\n\n- CVE-2021-23901: fixed an XML external entity (XXE) injection in `DmozParser` (bsc#1181356)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2021-323,SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-323",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_0323-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2021:0323-1",
        "url": "https://www.suse.com/support/update/announcement/2021/suse-su-20210323-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2021:0323-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-February/008278.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1181356",
        "url": "https://bugzilla.suse.com/1181356"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-23901 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-23901/"
      }
    ],
    "title": "Security update for nutch-core",
    "tracking": {
      "current_release_date": "2021-02-08T09:30:11Z",
      "generator": {
        "date": "2021-02-08T09:30:11Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2021:0323-1",
      "initial_release_date": "2021-02-08T09:30:11Z",
      "revision_history": [
        {
          "date": "2021-02-08T09:30:11Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nutch-core-1.0.1-4.3.1.noarch",
                "product": {
                  "name": "nutch-core-1.0.1-4.3.1.noarch",
                  "product_id": "nutch-core-1.0.1-4.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Manager Server Module 4.1",
                "product": {
                  "name": "SUSE Manager Server Module 4.1",
                  "product_id": "SUSE Manager Server Module 4.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-suse-manager-server:4.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nutch-core-1.0.1-4.3.1.noarch as component of SUSE Manager Server Module 4.1",
          "product_id": "SUSE Manager Server Module 4.1:nutch-core-1.0.1-4.3.1.noarch"
        },
        "product_reference": "nutch-core-1.0.1-4.3.1.noarch",
        "relates_to_product_reference": "SUSE Manager Server Module 4.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-23901",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-23901"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions \u003c 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application\u0027s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Manager Server Module 4.1:nutch-core-1.0.1-4.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-23901",
          "url": "https://www.suse.com/security/cve/CVE-2021-23901"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1181356 for CVE-2021-23901",
          "url": "https://bugzilla.suse.com/1181356"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Manager Server Module 4.1:nutch-core-1.0.1-4.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Manager Server Module 4.1:nutch-core-1.0.1-4.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2021-02-08T09:30:11Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2021-23901"
    }
  ]
}

CVE-2021-23901 (GCVE-0-2021-23901)

Vulnerability from cvelistv5 – Published: 2021-01-25 09:25 – Updated: 2025-02-13 16:27

Summary

An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18.

Severity ?

No CVSS data available.

CWE

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread.html/r090321840b4…	x_refsource_MISC
	https://issues.apache.org/jira/browse/NUTCH-2841	x_refsource_MISC
	https://lists.apache.org/thread.html/r7ddfd680aa7…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r5e2f7737b42…	mailing-listx_refsource_MLIST
	https://security.netapp.com/advisory/ntap-2021051…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Nutch	Affected: Apache Nutch , ≤ 1.17 (custom)

Credits

The Apache Nutch Project Management Committee would like to thank Martin Heyden for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:14:09.168Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r090321840b44cc91086c4e317bf2baffa270749dde6c1273b6567f7c%40%3Cdev.nutch.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://issues.apache.org/jira/browse/NUTCH-2841"
          },
          {
            "name": "[nutch-dev] 20210125 Re: CVE-2021-23901: An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r7ddfd680aa7ea001ca8da63bb23e3f8caa095a8b4f2261e46bade5c7%40%3Cdev.nutch.apache.org%3E"
          },
          {
            "name": "[announce] 20210124 CVE-2021-23901: An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r5e2f7737b42c73a3325f3c2c8cdee1ec27631b3a0e144104d84d70e6%40%3Cannounce.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210513-0003/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Nutch",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.17",
              "status": "affected",
              "version": "Apache Nutch",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The Apache Nutch Project Management Committee would like to thank Martin Heyden for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions \u003c 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application\u0027s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611 Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-03T19:15:43.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/r090321840b44cc91086c4e317bf2baffa270749dde6c1273b6567f7c%40%3Cdev.nutch.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://issues.apache.org/jira/browse/NUTCH-2841"
        },
        {
          "name": "[nutch-dev] 20210125 Re: CVE-2021-23901: An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r7ddfd680aa7ea001ca8da63bb23e3f8caa095a8b4f2261e46bade5c7%40%3Cdev.nutch.apache.org%3E"
        },
        {
          "name": "[announce] 20210124 CVE-2021-23901: An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r5e2f7737b42c73a3325f3c2c8cdee1ec27631b3a0e144104d84d70e6%40%3Cannounce.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210513-0003/"
        }
      ],
      "source": {
        "defect": [
          "NUTCH-2841"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-23901",
          "STATE": "PUBLIC",
          "TITLE": "An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Nutch",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Nutch",
                            "version_value": "1.17"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "The Apache Nutch Project Management Committee would like to thank Martin Heyden for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions \u003c 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application\u0027s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-611 Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/r090321840b44cc91086c4e317bf2baffa270749dde6c1273b6567f7c%40%3Cdev.nutch.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/r090321840b44cc91086c4e317bf2baffa270749dde6c1273b6567f7c%40%3Cdev.nutch.apache.org%3E"
            },
            {
              "name": "https://issues.apache.org/jira/browse/NUTCH-2841",
              "refsource": "MISC",
              "url": "https://issues.apache.org/jira/browse/NUTCH-2841"
            },
            {
              "name": "[nutch-dev] 20210125 Re: CVE-2021-23901: An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r7ddfd680aa7ea001ca8da63bb23e3f8caa095a8b4f2261e46bade5c7@%3Cdev.nutch.apache.org%3E"
            },
            {
              "name": "[announce] 20210124 CVE-2021-23901: An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r5e2f7737b42c73a3325f3c2c8cdee1ec27631b3a0e144104d84d70e6@%3Cannounce.apache.org%3E"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210513-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210513-0003/"
            }
          ]
        },
        "source": {
          "defect": [
            "NUTCH-2841"
          ],
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-23901",
    "datePublished": "2021-01-25T09:25:14.000Z",
    "dateReserved": "2021-01-12T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:27:46.383Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2021:0323-1

CVE-2021-23901 (GCVE-0-2021-23901)

Tags

Sightings

Nomenclature