{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2017-05-06T00:00:00", "datePublic": "2017-07-13T00:00:00", "descriptions": [{"lang": "en", "value": "xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-06-14T17:20:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "RHSA-2017:2492", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2492"}, {"name": "FEDORA-2020-9573355ff4", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lsh123/xmlsec/issues/43"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2017-05-06T20:43:28.312282", "ID": "CVE-2017-1000061", "REQUESTER": "dmoppert@redhat.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2017:2492", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2492"}, {"name": "FEDORA-2020-9573355ff4", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR/"}, {"name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"name": "https://github.com/lsh123/xmlsec/issues/43", "refsource": "CONFIRM", "url": "https://github.com/lsh123/xmlsec/issues/43"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T21:53:06.219Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2017:2492", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2492"}, {"name": "FEDORA-2020-9573355ff4", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/lsh123/xmlsec/issues/43"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-1000061", "datePublished": "2017-07-13T20:00:00", "dateReserved": "2017-07-10T00:00:00", "dateUpdated": "2024-08-05T21:53:06.219Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xmlsec_project:xmlsec:*:*:*:*:*:*:*:*", "matchCriteriaId": "028F68AA-1521-4D93-B3C7-98D71FCB840F", "versionEndIncluding": "1.2.23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service"}, {"lang": "es", "value": "En xmlsec versi\u00f3n 1.2.23 y anteriores, son vulnerables a un problema de tipo XML External Entity Expansion mientras se analizan documentos de entrada creados, resultando en una posible divulgaci\u00f3n de informaci\u00f3n o denegaci\u00f3n de servicio."}], "id": "CVE-2017-1000061", "lastModified": "2024-11-21T03:04:04.073", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-07-17T13:18:17.923", "references": [{"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2017:2492"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/lsh123/xmlsec/issues/43"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR/"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2017:2492"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/lsh123/xmlsec/issues/43"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2017:2492", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "xmlsec1-0:1.2.20-7.el7_4", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-08-21T00:00:00Z"}], "bugzilla": {"description": "xmlsec1: xmlsec vulnerable to external entity expansion", "id": "1437311", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1437311"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "status": "verified"}, "cwe": "CWE-611", "details": ["xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service", "It was discovered xmlsec1's use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service."], "name": "CVE-2017-1000061", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "xmlsec1", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "xmlsec1", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2017-03-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-1000061\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000061"], "threat_severity": "Moderate"}