Your submission was sent successfully! Close

CVE-2017-1000061

Published: 17 July 2017

xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service

From the Ubuntu Security Team

It was discovered that xmlsec incorrectly handled certain input documents. An attacker could possibly use this issue to obtain sensitive information or cause a denial of service.

Notes

AuthorNote
rodrigo-zaiden
for full protection, libxml2 should be patched against
CVE-2016-9318.
in a patched version of xmlsec1 tool, if needed, parsing
external entities can be forced with --xxe option.
Priority

Low

CVSS 3 base score: 7.1

Status

Package Release Status
xmlsec1
Launchpad, Ubuntu, Debian
artful Not vulnerable
(1.2.24-3)
bionic Not vulnerable
(1.2.24-3)
cosmic Not vulnerable
(1.2.24-3)
disco Not vulnerable
(1.2.24-3)
eoan Not vulnerable
(1.2.24-3)
focal Not vulnerable
(1.2.24-3)
groovy Not vulnerable
(1.2.24-3)
hirsute Not vulnerable
(1.2.24-3)
impish Not vulnerable
(1.2.24-3)
jammy Not vulnerable
(1.2.24-3)
kinetic Not vulnerable
(1.2.24-3)
precise Does not exist

trusty Does not exist
(trusty was needed)
upstream
Released (1.2.24-1)
xenial
Released (1.2.20-2ubuntu4+esm1)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)