Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2017-1000061

Published: 17 July 2017

xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service

From the Ubuntu Security Team

It was discovered that xmlsec incorrectly handled certain input documents. An attacker could possibly use this issue to obtain sensitive information or cause a denial of service.

Notes

AuthorNote
rodrigo-zaiden
for full protection, libxml2 should be patched against
CVE-2016-9318.
in a patched version of xmlsec1 tool, if needed, parsing
external entities can be forced with --xxe option.

Priority

Low

Cvss 3 Severity Score

7.1

Score breakdown

Status

Package Release Status
xmlsec1
Launchpad, Ubuntu, Debian
artful Not vulnerable
(1.2.24-3)
bionic Not vulnerable
(1.2.24-3)
cosmic Not vulnerable
(1.2.24-3)
disco Not vulnerable
(1.2.24-3)
eoan Not vulnerable
(1.2.24-3)
focal Not vulnerable
(1.2.24-3)
groovy Not vulnerable
(1.2.24-3)
hirsute Not vulnerable
(1.2.24-3)
impish Not vulnerable
(1.2.24-3)
jammy Not vulnerable
(1.2.24-3)
kinetic Not vulnerable
(1.2.24-3)
precise Does not exist

trusty
Released (1.2.18-2ubuntu1+esm1)
upstream
Released (1.2.24-1)
xenial
Released (1.2.20-2ubuntu4+esm1)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)

Severity score breakdown

Parameter Value
Base score 7.1
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact High
Vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H