Bug#897009: uimaj: CVE-2017-15691: XML external entity expansion (XXE) attack exposure
Salvatore Bonaccorso
carnil at debian.org
Fri Apr 27 05:04:15 BST 2018
Source: uimaj
Version: 2.4.0-2
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for uimaj, filling for now
with RC severity.
CVE-2017-15691[0]:
| In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to
| 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to
| 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to
| an XML external entity expansion (XXE) capability of various XML
| parsers. UIMA as part of its configuration and operation may read XML
| from various sources, which could be tainted in ways to cause
| inadvertent disclosure of local files or other internal content.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15691
[1] https://uima.apache.org/security_report#CVE-2017-15691
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list