Lucene search

Veracode Vulnerability DatabaseVERACODE:11049

HistoryJan 15, 2019 - 8:56 a.m.

XML External Entity (XXE)

2019-01-1508:56:09

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

picketlink-federation is vulnerable to XML External Entity (XXE) attacks. The vulnerability exists as the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.

CPENameOperatorVersion
picketlink-federationeq2.1.1__5.Final_redhat_1.ep6.el6
picketlink-federationeq2.1.6.3__2.Final_redhat_2.2.ep6.el5
picketlink-federationeq2.1.5__3.ep5.el6
picketlink-federationeq2.1.9__4.SP3_redhat_1.1.ep6.el6
picketlink-federationeq2.1.5__3.ep5.el5
picketlink-federationeq2.1.6__3.Final_redhat_2.ep6.el6
picketlink-federationeq2.1.9__4.SP3_redhat_1.1.ep6.el5
picketlink-federationeq2.1.3.1__3.redhat_1.ep6.el6
picketlink-federationeq2.1.6.3__2.Final_redhat_2.2.ep6.el6
picketlink-federationeq2.1.1__5.Final_redhat_1.ep6.el5

Name	Operator	Version
picketlink-federation	eq	2.1.1__5.Final_redhat_1.ep6.el6
picketlink-federation	eq	2.1.6.3__2.Final_redhat_2.2.ep6.el5
picketlink-federation	eq	2.1.5__3.ep5.el6
picketlink-federation	eq	2.1.9__4.SP3_redhat_1.1.ep6.el6
picketlink-federation	eq	2.1.5__3.ep5.el5
picketlink-federation	eq	2.1.6__3.Final_redhat_2.ep6.el6
picketlink-federation	eq	2.1.9__4.SP3_redhat_1.1.ep6.el5
picketlink-federation	eq	2.1.3.1__3.redhat_1.ep6.el6
picketlink-federation	eq	2.1.6.3__2.Final_redhat_2.2.ep6.el6
picketlink-federation	eq	2.1.1__5.Final_redhat_1.ep6.el5

Rows per page:

1-10 of 381

References

rhn.redhat.com/errata/RHSA-2014-0883.html

rhn.redhat.com/errata/RHSA-2014-0884.html

rhn.redhat.com/errata/RHSA-2014-0885.html

rhn.redhat.com/errata/RHSA-2014-0886.html

rhn.redhat.com/errata/RHSA-2015-0091.html

rhn.redhat.com/errata/RHSA-2015-0675.html

rhn.redhat.com/errata/RHSA-2015-0720.html

rhn.redhat.com/errata/RHSA-2015-0765.html

rhn.redhat.com/errata/RHSA-2015-1888.html

secunia.com/advisories/60047

secunia.com/advisories/60124

www.securitytracker.com/id/1030607

access.redhat.com/errata/RHSA-2014:0883

access.redhat.com/errata/RHSA-2014:0884

access.redhat.com/errata/RHSA-2014:0885

access.redhat.com/errata/RHSA-2014:0886

access.redhat.com/errata/RHSA-2014:0897

access.redhat.com/errata/RHSA-2014:0898

access.redhat.com/errata/RHSA-2014:0910

access.redhat.com/errata/RHSA-2015:0091

access.redhat.com/errata/RHSA-2015:0234

access.redhat.com/errata/RHSA-2015:0235

access.redhat.com/errata/RHSA-2015:0675

access.redhat.com/errata/RHSA-2015:0720

access.redhat.com/errata/RHSA-2015:0765

access.redhat.com/errata/RHSA-2015:1009

access.redhat.com/errata/RHSA-2015:1888

access.redhat.com/security/cve/CVE-2014-3530

access.redhat.com/security/updates/classification/#important

bugzilla.redhat.com/show_bug.cgi?id=1112987

exchange.xforce.ibmcloud.com/vulnerabilities/94700

rhn.redhat.com/errata/RHSA-2014-0883.html

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Related for VERACODE:11049