CVE-2017-1000061
Published: 17 July 2017
xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service
From the Ubuntu Security Team
It was discovered that xmlsec incorrectly handled certain input documents. An attacker could possibly use this issue to obtain sensitive information or cause a denial of service.
Notes
| Author | Note |
|---|---|
| rodrigo-zaiden | for full protection, libxml2 should be patched against CVE-2016-9318. in a patched version of xmlsec1 tool, if needed, parsing external entities can be forced with --xxe option. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
xmlsec1 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(1.2.24-3)
|
| bionic |
Not vulnerable
(1.2.24-3)
|
|
| cosmic |
Not vulnerable
(1.2.24-3)
|
|
| disco |
Not vulnerable
(1.2.24-3)
|
|
| eoan |
Not vulnerable
(1.2.24-3)
|
|
| focal |
Not vulnerable
(1.2.24-3)
|
|
| groovy |
Not vulnerable
(1.2.24-3)
|
|
| hirsute |
Not vulnerable
(1.2.24-3)
|
|
| impish |
Not vulnerable
(1.2.24-3)
|
|
| jammy |
Not vulnerable
(1.2.24-3)
|
|
| kinetic |
Not vulnerable
(1.2.24-3)
|
|
| trusty |
Released
(1.2.18-2ubuntu1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Released
(1.2.24-1)
|
|
| xenial |
Released
(1.2.20-2ubuntu4+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.1 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H |