CVE-2017-15691
Improper Restriction of XML External Entity Reference in Apache uimaj
6.5
MEDIUM
CVSS 3.1
EPSS 0.78%
Description
In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.
How to fix CVE-2017-15691
To remediate CVE-2017-15691, upgrade the affected package to a fixed version below.
- —upgrade to 2.10.2-1 or later
- —upgrade to 2.4.0 or later
- —upgrade to 2.10.2 or later
- —upgrade to 2.10.2 or later
Is CVE-2017-15691 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 2.10.2-1
- from 0, < 2.4.0
- from 0, < 2.10.2
- from 0, < 2.10.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |