CVE-2013-6440

Опубликовано: 11 дек. 2013

Источник: redhat

CVSS2: 5

EPSS Низкий

Описание

The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.

It was found that the ParserPool and Decrypter classes in the OpenSAML Java implementation resolved external entities, permitting XML External Entity (XXE) attacks. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat JBoss Data Virtualization 6	xmltooling	Not affected
Red Hat JBoss Enterprise Application Platform 5	xmltooling	Will not fix
Red Hat JBoss Enterprise Web Server 1	fuse-6.0	Affected
Red Hat JBoss Enterprise Web Server 1	fuse-esb-7.1	Affected
Red Hat JBoss Enterprise Web Server 1	fuse-others	Will not fix
Red Hat JBoss Operations Network 3	xmltooling	Not affected
Red Hat JBoss Portal 5	xmltooling	Will not fix
Red Hat JBoss Portal 6	xmltooling	Affected
Fuse ESB Enterprise 7.1.0		Fixed	RHSA-2014:0452	30.04.2014
Fuse Management Console 7.1.0		Fixed	RHSA-2014:0452	30.04.2014

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-611

https://bugzilla.redhat.com/show_bug.cgi?id=1043332Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter

EPSS

Процентиль: 73%

0.0075

Низкий

5 Medium

CVSS2

Связанные уязвимости

CVE-2013-6440

ubuntu

почти 12 лет назад

CVE-2013-6440

nvd

почти 12 лет назад

CVE-2013-6440

debian

почти 12 лет назад

The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, ...

GHSA-v723-58jv-2qc4

github

больше 3 лет назад

Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML

EPSS

Процентиль: 73%

0.0075

Низкий

5 Medium

CVSS2