CVE-2015-1832 - Improper Restriction of XML External Entity Reference

Severity

64%

Complexity

99%

Confidentiality

81%

XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.

XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.

CVSS 3.0 Base Score 9.1. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

CVSS 2.0 Base Score 6.4. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P).

Overview

Type

Apache Software Foundation Derby

First reported 8 years ago

2016-10-03 21:59:00

Last updated 5 years ago

2019-04-23 19:29:00

Affected Software

Apache Software Foundation Derby 10.1.1.0

10.1.1.0

Apache Software Foundation Derby 10.1.2.1

10.1.2.1

Apache Software Foundation Derby 10.1.3.1

10.1.3.1

Apache Software Foundation Derby 10.2.1.6

10.2.1.6

Apache Software Foundation Derby 10.2.2.0

10.2.2.0

Apache Software Foundation Derby 10.3.3.0

10.3.3.0

Apache Software Foundation Derby 10.4.1.3

10.4.1.3

Apache Software Foundation Derby 10.4.2.0

10.4.2.0

Apache Software Foundation Derby 10.5.1.1

10.5.1.1

Apache Software Foundation Derby 10.5.3.0

10.5.3.0

Apache Software Foundation Derby 10.6.1.0

10.6.1.0

Apache Software Foundation Derby 10.6.2.1

10.6.2.1

Apache Software Foundation Derby 10.7.1.1

10.7.1.1

Apache Software Foundation Derby 10.8.1.2

10.8.1.2

Apache Software Foundation Derby 10.8.2.2

10.8.2.2

Apache Software Foundation Derby 10.8.3.0

10.8.3.0

Apache Software Foundation Derby 10.9.1.0

10.9.1.0

Apache Software Foundation Derby 10.10.1.1

10.10.1.1

Apache Software Foundation Derby 10.10.2.0

10.10.2.0

Apache Software Foundation Derby 10.11.1.1

10.11.1.1

References

93132

Third Party Advisory, VDB Entry

http://www-01.ibm.com/support/docview.wss?uid=swg21990100

Third Party Advisory

https://issues.apache.org/jira/browse/DERBY-6807

Issue Tracking

[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities

[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report

[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities

[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities

[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1

https://svn.apache.org/viewvc?view=revision&revision=1691461

Issue Tracking

N/A

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.