Lucene search
GoogleOSV:GHSA-6G33-82GC-3PW5HistoryMay 17, 2022 - 12:34 a.m.
Improper Restriction of XML External Entity Reference in Jelly
2022-05-1700:34:13
Google
osv.dev
11
apache xerces
jelly parsing
xml external entity (xxe)
EPSS
0.006
Percentile
78.2%
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a “SYSTEM” entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.
References
github.com/apache/commons-jelly
issues.apache.org/jira/browse/JELLY-293
lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73@%3Cdev.commons.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2017-12621
web.archive.org/web/20200227144849/www.securityfocus.com/bid/101052
web.archive.org/web/20210303081618/www.securitytracker.com/id/1039444
Related
nvd
nvd
CVE-2017-12621
2017-09-28 01:29:01
cvelist
cvelist
CVE-2017-12621
2017-09-27 00:00:00
github
github
Improper Restriction of XML External Entity Reference in Jelly
2022-05-17 00:34:13
redhatcve
redhatcve
CVE-2017-12621
2021-06-10 18:23:02
cve
cve
CVE-2017-12621
2017-09-28 01:29:01
ubuntucve
ubuntucve
CVE-2017-12621
2017-09-28 00:00:00
veracode
veracode
XML External Entity (XXE)
2017-09-28 03:17:39
prion
prion
Xxe
2017-09-28 01:29:00
