Author: cwiklik
Date: Wed May 1 14:24:08 2019
New Revision: 1858489
URL: http://svn.apache.org/viewvc?rev=1858489&view=rev
Log:
Updated security_report with ducc changes to address CVE-2018-8035
Modified:
uima/site/trunk/uima-website/docs/security_report.html
uima/site/trunk/uima-website/xdocs/security_report.xml
Modified: uima/site/trunk/uima-website/docs/security_report.html
URL:
http://svn.apache.org/viewvc/uima/site/trunk/uima-website/docs/security_report.html?rev=1858489&r1=1858488&r2=1858489&view=diff
==============================================================================
--- uima/site/trunk/uima-website/docs/security_report.html (original)
+++ uima/site/trunk/uima-website/docs/security_report.html Wed May 1 14:24:08
2019
@@ -231,6 +231,33 @@
<blockquote class="sectionBody">
<p>Here are the known Security
Vulnerabilities for Apache UIMA, listed by CVE number.</p>
<ul>
+ <li id="CVE-2018-8035">
+<pre>CVE-2018-8035: Apache UIMA DUCC webserver cross-site scripting (XSS)
vulnerability due to unintended execution of user supplied javascript code.
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+ - Apache UIMA DUCC releases including and prior to 2.2.2
+
+Description.
+The details of this vulnerability were reported to the Apache UIMA Private
mailing list.
+
+This vulnerability relates to the user's browser processing of DUCC web page
input data.
+
+The javascript comprising Apache UIMA DUCC which runs in the user's browser
does not sufficiently filter user supplied inputs, which may result in
unintended execution of user supplied javascript code.
+
+Mitigation:
+Users are advised to upgrade these UIMA components to the following levels:
+ - Apache UIMA DUCC: upgrade to 3.0.0 or later
+
+Credit: Marshall Schor
+</pre>
+</li>
+</ul>
+ <ul>
<li id="CVE-2017-15691">
<pre>CVE-2017-15691: Apache UIMA XML external entity expansion (XXE) attack
exposure
Modified: uima/site/trunk/uima-website/xdocs/security_report.xml
URL:
http://svn.apache.org/viewvc/uima/site/trunk/uima-website/xdocs/security_report.xml?rev=1858489&r1=1858488&r2=1858489&view=diff
==============================================================================
--- uima/site/trunk/uima-website/xdocs/security_report.xml (original)
+++ uima/site/trunk/uima-website/xdocs/security_report.xml Wed May 1 14:24:08
2019
@@ -30,6 +30,36 @@ under the License.
<section name="Security Update List by CVEs">
<p>Here are the known Security Vulnerabilities for Apache UIMA, listed by CVE
number.</p>
+
+<ul>
+ <li id="CVE-2018-8035">
+<pre>CVE-2018-8035: Apache UIMA DUCC webserver cross-site scripting (XSS)
vulnerability due to unintended execution of user supplied javascript code.
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+ - Apache UIMA DUCC releases including and prior to 2.2.2
+
+Description.
+The details of this vulnerability were reported to the Apache UIMA Private
mailing list.
+
+This vulnerability relates to the user's browser processing of DUCC web page
input data.
+
+The javascript comprising Apache UIMA DUCC which runs in the user's browser
does not sufficiently filter user supplied inputs, which may result in
unintended execution of user supplied javascript code.
+
+Mitigation:
+Users are advised to upgrade these UIMA components to the following levels:
+ - Apache UIMA DUCC: upgrade to 3.0.0 or later
+
+Credit: Marshall Schor
+</pre>
+</li>
+</ul>
+
+
<ul>
<li id="CVE-2017-15691">
<pre>CVE-2017-15691: Apache UIMA XML external entity expansion (XXE) attack
exposure
