Back to search
CVE-2017-12621
Published: Sep 27, 2017
Modified: Sep 16, 2024
PUBLISHED
Description
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache Commons Jelly | affected 1.0 |
References
https://issues.apache.org/jira/browse/JELLY-293
x_refsource_CONFIRM
[dev] 20170927 [SECURITY] CVE-2017-12621 Apache Commons Jelly connects to URL with custom doctype definitions.
mailing-list
x_refsource_MLIST
101052
vdb-entry
x_refsource_BID
1039444
vdb-entry
x_refsource_SECTRACK
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now