ID CVE-2017-1000190
Summary SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on.
References
Vulnerable Configurations
  • cpe:2.3:a:simplexml_project:simplexml:2.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:simplexml_project:simplexml:2.7.1:*:*:*:*:*:*:*
CVSS
Base: 6.4 (as of 23-07-2019 - 20:15)
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:P
refmap via4
confirm https://github.com/ngallagher/simplexml/issues/18
mlist
  • [lucene-dev] 20190723 [jira] [Updated] (SOLR-13648) vulnerable simple-xml-2.7.1.jar
  • [lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report
  • [lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1
  • [lucene-solr-user] 20200320 Re: CVEs (vulnerabilities) that apply to Solr 8.4.1
Last major update 23-07-2019 - 20:15
Published 17-11-2017 - 21:29
Last modified 23-07-2019 - 20:15
Back to Top