Vulnerability Description
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Jelly | < 1.0.1 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/101052Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1039444Third Party AdvisoryVDB Entry
- https://issues.apache.org/jira/browse/JELLY-293Issue TrackingPatchVendor Advisory
- https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad8
- http://www.securityfocus.com/bid/101052Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1039444Third Party AdvisoryVDB Entry
- https://issues.apache.org/jira/browse/JELLY-293Issue TrackingPatchVendor Advisory
- https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad8
FAQ
What is CVE-2017-12621?
CVE-2017-12621 is a vulnerability with a CVSS score of 9.8 (CRITICAL). During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instan...
How severe is CVE-2017-12621?
CVE-2017-12621 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-12621?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Commons Jelly.