{"containers": {"cna": {"affected": [{"product": "Apache Xerces C++", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "< 3.2.1"}]}], "datePublic": "2018-02-28T00:00:00", "descriptions": [{"lang": "en", "value": "In Apache Xerces-C XML Parser library before 3.2.1, processing of external DTD paths can result in a null pointer dereference under certain conditions."}], "problemTypes": [{"descriptions": [{"description": "Denial of Service", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-31T07:06:52", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "[debian-lts-announce] 20180329 [SECURITY] [DLA 1328-1] xerces-c security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00032.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt"}, {"name": "103219", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/103219"}, {"name": "[oss-security] 20180301 Apache Xerces-C Security Advisory for versions < 3.2.1 [CVE-2017-12627]", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2018/q1/203"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-02-28T00:00:00", "ID": "CVE-2017-12627", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Xerces C++", "version": {"version_data": [{"version_value": "< 3.2.1"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache Xerces-C XML Parser library before 3.2.1, processing of external DTD paths can result in a null pointer dereference under certain conditions."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service"}]}]}, "references": {"reference_data": [{"name": "[debian-lts-announce] 20180329 [SECURITY] [DLA 1328-1] xerces-c security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00032.html"}, {"name": "http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt", "refsource": "CONFIRM", "url": "http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt"}, {"name": "103219", "refsource": "BID", "url": "http://www.securityfocus.com/bid/103219"}, {"name": "[oss-security] 20180301 Apache Xerces-C Security Advisory for versions < 3.2.1 [CVE-2017-12627]", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2018/q1/203"}, {"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365", "refsource": "CONFIRM", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T18:43:56.416Z"}, "title": "CVE Program Container", "references": [{"name": "[debian-lts-announce] 20180329 [SECURITY] [DLA 1328-1] xerces-c security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00032.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt"}, {"name": "103219", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/103219"}, {"name": "[oss-security] 20180301 Apache Xerces-C Security Advisory for versions < 3.2.1 [CVE-2017-12627]", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2018/q1/203"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-12627", "datePublished": "2018-03-01T14:00:00Z", "dateReserved": "2017-08-07T00:00:00", "dateUpdated": "2024-09-17T01:15:50.981Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:xerces-c\\+\\+:*:*:*:*:*:*:*:*", "matchCriteriaId": "067DAA5D-2C5C-4591-817A-6CB6DBDF2D83", "versionEndExcluding": "3.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Apache Xerces-C XML Parser library before 3.2.1, processing of external DTD paths can result in a null pointer dereference under certain conditions."}, {"lang": "es", "value": "En la biblioteca Apache Xerces-C XML Parser en versiones anteriores a la 3.2.1, el procesamiento de rutas DTD externas puede resultar en una desreferencia de puntero NULL bajo ciertas condiciones."}], "id": "CVE-2017-12627", "lastModified": "2021-07-31T08:15:08.457", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-01T14:29:00.250", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/oss-sec/2018/q1/203"}, {"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/103219"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt"}, {"source": "security@apache.org", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365"}, {"source": "security@apache.org", "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00032.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "xerces-c: Null pointer dereference while processing the path to DTD allows denial of service", "id": "1551525", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1551525"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In Apache Xerces-C XML Parser library before 3.2.1, processing of external DTD paths can result in a null pointer dereference under certain conditions."], "mitigation": {"lang": "en:us", "value": "Applications should strongly consider blocking remote entity resolution and/or outright disabling of DTD processing in light of the continued identification of bugs in this area of the library."}, "name": "CVE-2017-12627", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "xerces-c", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "xerces-c", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:2", "fix_state": "Will not fix", "package_name": "xerces-c", "product_name": "Red Hat Enterprise MRG 2"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:3", "fix_state": "Will not fix", "package_name": "xerces-c", "product_name": "Red Hat Enterprise MRG 3"}], "public_date": "2018-03-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-12627\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-12627\nhttps://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt"], "statement": "Red Hat Enterprise MRG and MRG-Messaging are currently in Maintenance phase. This issue has been rated as having Moderate security impact, and is not currently planned to be addressed in future releases of MRG or MRG-Messaging. For more information, refer to the Issue Severity Classification and the Life Cycle and Update Policies:\nhttps://access.redhat.com/security/updates/classification\nhttps://access.redhat.com/support/policy/update_policies/", "threat_severity": "Moderate", "upstream_fix": "xerces-c 3.2.1"}