CVE-2017-15691 – org.apache.uima:uimaj-as-core

Package

Manager: maven
Name: org.apache.uima:uimaj-as-core
Vulnerable Version: >=0 <2.10.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00739 pctl0.72036

Details

Improper Restriction of XML External Entity Reference in Apache uimaj In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.

Metadata

Created: 2022-05-14T00:58:02Z
Modified: 2022-07-01T19:32:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wp2f-hrg2-3r5m/GHSA-wp2f-hrg2-3r5m.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-wp2f-hrg2-3r5m
Finding: F083
Auto approve: 1