5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
0.003 Low
EPSS
Percentile
66.1%
Issue Overview:
It was discovered xmlsec1’s use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service. (CVE-2017-1000061)
Affected Packages:
xmlsec1
Issue Correction:
Run yum update xmlsec1 to update your system.
New Packages:
i686:
xmlsec1-openssl-1.2.20-7.4.amzn1.i686
xmlsec1-gnutls-1.2.20-7.4.amzn1.i686
xmlsec1-debuginfo-1.2.20-7.4.amzn1.i686
xmlsec1-nss-1.2.20-7.4.amzn1.i686
xmlsec1-1.2.20-7.4.amzn1.i686
xmlsec1-gcrypt-1.2.20-7.4.amzn1.i686
xmlsec1-openssl-devel-1.2.20-7.4.amzn1.i686
xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1.i686
xmlsec1-devel-1.2.20-7.4.amzn1.i686
xmlsec1-nss-devel-1.2.20-7.4.amzn1.i686
xmlsec1-gnutls-devel-1.2.20-7.4.amzn1.i686
src:
xmlsec1-1.2.20-7.4.amzn1.src
x86_64:
xmlsec1-openssl-1.2.20-7.4.amzn1.x86_64
xmlsec1-1.2.20-7.4.amzn1.x86_64
xmlsec1-openssl-devel-1.2.20-7.4.amzn1.x86_64
xmlsec1-nss-1.2.20-7.4.amzn1.x86_64
xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1.x86_64
xmlsec1-devel-1.2.20-7.4.amzn1.x86_64
xmlsec1-gnutls-1.2.20-7.4.amzn1.x86_64
xmlsec1-nss-devel-1.2.20-7.4.amzn1.x86_64
xmlsec1-debuginfo-1.2.20-7.4.amzn1.x86_64
xmlsec1-gnutls-devel-1.2.20-7.4.amzn1.x86_64
xmlsec1-gcrypt-1.2.20-7.4.amzn1.x86_64
Red Hat: CVE-2017-1000061
Mitre: CVE-2017-1000061
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | xmlsec1-openssl | < 1.2.20-7.4.amzn1 | xmlsec1-openssl-1.2.20-7.4.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | xmlsec1-gnutls | < 1.2.20-7.4.amzn1 | xmlsec1-gnutls-1.2.20-7.4.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | xmlsec1-debuginfo | < 1.2.20-7.4.amzn1 | xmlsec1-debuginfo-1.2.20-7.4.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | xmlsec1-nss | < 1.2.20-7.4.amzn1 | xmlsec1-nss-1.2.20-7.4.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | xmlsec1 | < 1.2.20-7.4.amzn1 | xmlsec1-1.2.20-7.4.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | xmlsec1-gcrypt | < 1.2.20-7.4.amzn1 | xmlsec1-gcrypt-1.2.20-7.4.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | xmlsec1-openssl-devel | < 1.2.20-7.4.amzn1 | xmlsec1-openssl-devel-1.2.20-7.4.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | xmlsec1-gcrypt-devel | < 1.2.20-7.4.amzn1 | xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | xmlsec1-devel | < 1.2.20-7.4.amzn1 | xmlsec1-devel-1.2.20-7.4.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | xmlsec1-nss-devel | < 1.2.20-7.4.amzn1 | xmlsec1-nss-devel-1.2.20-7.4.amzn1.i686.rpm |
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
0.003 Low
EPSS
Percentile
66.1%