[jira] [Updated] (SOLR-13109) CVE-2015-1832 Threat Level 9 Against Solr v7.6. org.apache.derby : derby : 10.9.1.0. XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, w/o Java Security Manager, ...attackers to read arbitrary files or DOS

RobertHathaway (JIRA) Thu, 03 Jan 2019 14:44:12 -0800


     [ 
https://issues.apache.org/jira/browse/SOLR-13109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


RobertHathaway updated SOLR-13109:
----------------------------------
    Summary: CVE-2015-1832 Threat Level 9 Against Solr v7.6.  org.apache.derby 
: derby : 10.9.1.0. XML external entity (XXE) vulnerability in the SqlXmlUtil 
code in Apache Derby before 10.12.1.1, w/o Java Security Manager, ...attackers 
to read arbitrary files or DOS  (was: CVE-2015-1832 Against Solr v7.6)

> CVE-2015-1832 Threat Level 9 Against Solr v7.6.  org.apache.derby : derby : 
> 10.9.1.0. XML external entity (XXE) vulnerability in the SqlXmlUtil code in 
> Apache Derby before 10.12.1.1, w/o Java Security Manager, ...attackers to 
> read arbitrary files or DOS
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-13109
>                 URL: https://issues.apache.org/jira/browse/SOLR-13109
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 7.6
>         Environment: RedHat Linux.    May run from RHEL versions 5, 6 or 7 
> but this issue is from Sonatype component scan and should be independent of 
> Linux platform version.
>            Reporter: RobertHathaway
>            Priority: Blocker
>
> Threat Level 9/Critical from Sonatype Application Composition Report run Of 
> Solr - 7.6.0, Using Scanner 1.56.0-01.  Enterprise security won't allow us to 
> move past Solr 6.5 unless this is fixed or somehow remediated. Lots of issues 
> in Solr 7.1 also, may be best to move to latest Solr.
> h2. CVE-2015-1832 Detail
> h3. Current Description
> XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache 
> Derby before 10.12.1.1, when a Java Security Manager is not in place, allows 
> context-dependent attackers to read arbitrary files or cause a denial of 
> service (resource consumption) via vectors involving XmlVTI and the XML 
> datatype.
> h3. Impact
> *CVSS v3.0 Severity and Metrics:*
>  *Base Score:* [ 9.1 CRITICAL 
> |https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2015-1832&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H]
>  
>  *Vector:* AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H ([V3 
> legend|https://www.first.org/cvss/specification-document]) 
>  *Impact Score:* 5.2 
>  *Exploitability Score:* 3.9
> [https://nvd.nist.gov/vuln/detail/CVE-2015-1832]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (SOLR-13109) CVE-2015-1832 Threat Level 9 Against Solr v7.6. org.apache.derby : derby : 10.9.1.0. XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, w/o Java Security Manager, ...attackers to read arbitrary files or DOS

Reply via email to