ID CVE-2017-1000061
Summary xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service
References
Vulnerable Configurations
  • cpe:2.3:a:xmlsec_project:xmlsec:0.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:0.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:0.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:0.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:0.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:0.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:0.0.8a:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:0.0.8a:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:0.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:0.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:0.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:0.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:0.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:0.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:0.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:0.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:0.0.13:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:0.0.13:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:0.0.14:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:0.0.14:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:0.0.15:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:0.0.15:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:0.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:0.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:0.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.0.0-:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.0.0-:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.0.0pre1:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.0.0pre1:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.0.0rc1:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.0.0rc1:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.8:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.9:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.9:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.10:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.10:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.11:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.11:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.12:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.12:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.13:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.13:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.14:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.14:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.15:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.15:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.16:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.16:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.17:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.17:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.18:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.19:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.19:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.20:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.20:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.21:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.21:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.22:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.22:*:*:*:*:*:*:*
  • cpe:2.3:a:xmlsec_project:xmlsec:1.2.23:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsec_project:xmlsec:1.2.23:*:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 14-06-2021 - 18:15)
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:P
redhat via4
advisories
bugzilla
id 1437311
title CVE-2017-1000061 xmlsec1: xmlsec vulnerable to external entity expansion
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 7 is installed
      oval oval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • comment xmlsec1 is earlier than 0:1.2.20-7.el7_4
          oval oval:com.redhat.rhsa:tst:20172492001
        • comment xmlsec1 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172492002
      • AND
        • comment xmlsec1-devel is earlier than 0:1.2.20-7.el7_4
          oval oval:com.redhat.rhsa:tst:20172492003
        • comment xmlsec1-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172492004
      • AND
        • comment xmlsec1-gcrypt is earlier than 0:1.2.20-7.el7_4
          oval oval:com.redhat.rhsa:tst:20172492005
        • comment xmlsec1-gcrypt is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172492006
      • AND
        • comment xmlsec1-gcrypt-devel is earlier than 0:1.2.20-7.el7_4
          oval oval:com.redhat.rhsa:tst:20172492007
        • comment xmlsec1-gcrypt-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172492008
      • AND
        • comment xmlsec1-gnutls is earlier than 0:1.2.20-7.el7_4
          oval oval:com.redhat.rhsa:tst:20172492009
        • comment xmlsec1-gnutls is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172492010
      • AND
        • comment xmlsec1-gnutls-devel is earlier than 0:1.2.20-7.el7_4
          oval oval:com.redhat.rhsa:tst:20172492011
        • comment xmlsec1-gnutls-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172492012
      • AND
        • comment xmlsec1-nss is earlier than 0:1.2.20-7.el7_4
          oval oval:com.redhat.rhsa:tst:20172492013
        • comment xmlsec1-nss is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172492014
      • AND
        • comment xmlsec1-nss-devel is earlier than 0:1.2.20-7.el7_4
          oval oval:com.redhat.rhsa:tst:20172492015
        • comment xmlsec1-nss-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172492016
      • AND
        • comment xmlsec1-openssl is earlier than 0:1.2.20-7.el7_4
          oval oval:com.redhat.rhsa:tst:20172492017
        • comment xmlsec1-openssl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172492018
      • AND
        • comment xmlsec1-openssl-devel is earlier than 0:1.2.20-7.el7_4
          oval oval:com.redhat.rhsa:tst:20172492019
        • comment xmlsec1-openssl-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172492020
rhsa
id RHSA-2017:2492
released 2017-08-21
severity Moderate
title RHSA-2017:2492: xmlsec1 security update (Moderate)
rpms
  • xmlsec1-0:1.2.20-7.el7_4
  • xmlsec1-debuginfo-0:1.2.20-7.el7_4
  • xmlsec1-devel-0:1.2.20-7.el7_4
  • xmlsec1-gcrypt-0:1.2.20-7.el7_4
  • xmlsec1-gcrypt-devel-0:1.2.20-7.el7_4
  • xmlsec1-gnutls-0:1.2.20-7.el7_4
  • xmlsec1-gnutls-devel-0:1.2.20-7.el7_4
  • xmlsec1-nss-0:1.2.20-7.el7_4
  • xmlsec1-nss-devel-0:1.2.20-7.el7_4
  • xmlsec1-openssl-0:1.2.20-7.el7_4
  • xmlsec1-openssl-devel-0:1.2.20-7.el7_4
refmap via4
confirm https://github.com/lsh123/xmlsec/issues/43
fedora FEDORA-2020-9573355ff4
Last major update 14-06-2021 - 18:15
Published 17-07-2017 - 13:18
Last modified 14-06-2021 - 18:15
Back to Top