All the vulnerabilites related to Apache Software Foundation - Apache UIMA
cve-2017-15691
Vulnerability from cvelistv5
Published
2018-04-26 17:00
Modified
2024-09-16 23:42
Severity ?
Summary
In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T20:04:48.435Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://uima.apache.org/security_report#CVE-2017-15691"
          },
          {
            "name": "[uima-commits] 20190501 svn commit: r1858489 - in /uima/site/trunk/uima-website: docs/security_report.html xdocs/security_report.xml",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E"
          },
          {
            "name": "RHSA-2019:1545",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1545"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache UIMA",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "uimaj prior to 2.10.2"
            },
            {
              "status": "affected",
              "version": "uimaj 3.0.0-xxx prior to 3.0.0-beta"
            },
            {
              "status": "affected",
              "version": "uima-as prior to 2.10.2"
            },
            {
              "status": "affected",
              "version": "uimaFIT prior to 2.4.0"
            },
            {
              "status": "affected",
              "version": "uimaDUCC prior to 2.2.2"
            }
          ]
        }
      ],
      "datePublic": "2018-04-26T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information Disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-06-18T23:06:05",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://uima.apache.org/security_report#CVE-2017-15691"
        },
        {
          "name": "[uima-commits] 20190501 svn commit: r1858489 - in /uima/site/trunk/uima-website: docs/security_report.html xdocs/security_report.xml",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E"
        },
        {
          "name": "RHSA-2019:1545",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1545"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "DATE_PUBLIC": "2018-04-26T00:00:00",
          "ID": "CVE-2017-15691",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache UIMA",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "uimaj prior to 2.10.2"
                          },
                          {
                            "version_value": "uimaj 3.0.0-xxx prior to 3.0.0-beta"
                          },
                          {
                            "version_value": "uima-as prior to 2.10.2"
                          },
                          {
                            "version_value": "uimaFIT prior to 2.4.0"
                          },
                          {
                            "version_value": "uimaDUCC prior to 2.2.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://uima.apache.org/security_report#CVE-2017-15691",
              "refsource": "CONFIRM",
              "url": "https://uima.apache.org/security_report#CVE-2017-15691"
            },
            {
              "name": "[uima-commits] 20190501 svn commit: r1858489 - in /uima/site/trunk/uima-website: docs/security_report.html xdocs/security_report.xml",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79@%3Ccommits.uima.apache.org%3E"
            },
            {
              "name": "RHSA-2019:1545",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1545"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2017-15691",
    "datePublished": "2018-04-26T17:00:00Z",
    "dateReserved": "2017-10-21T00:00:00",
    "dateUpdated": "2024-09-16T23:42:23.280Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-32287
Vulnerability from cvelistv5
Published
2022-11-03 00:00
Modified
2024-08-03 07:39
Severity ?
Summary
Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:39:50.666Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
          },
          {
            "name": "[oss-security] 20221103 CVE-2022-32287: Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache UIMA",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.3.0",
              "status": "affected",
              "version": "Java SDK",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache UIMA would like to thank Huangzhicong from CodeSafe Team of Legendsec at Qi\u0027anxin Group"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "low"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-03T00:00:00",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
        },
        {
          "name": "[oss-security] 20221103 CVE-2022-32287: Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-32287",
    "datePublished": "2022-11-03T00:00:00",
    "dateReserved": "2022-06-03T00:00:00",
    "dateUpdated": "2024-08-03T07:39:50.666Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}