Vulnerability Details : CVE-2017-1289
IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150.
Vulnerability category: XML external entity (XXE) injection
Exploit prediction scoring system (EPSS) score for CVE-2017-1289
Probability of exploitation activity in the next 30 days: 0.23%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 60 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-1289
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:P |
10.0
|
4.9
|
NIST |
8.2
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L |
3.9
|
4.2
|
NIST |
CWE ids for CVE-2017-1289
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-1289
-
https://access.redhat.com/errata/RHSA-2017:1222
RHSA-2017:1222 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2017:1220
RHSA-2017:1220 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/98401
IBM Java SDK CVE-2017-1289 XML External Entity Injection VulnerabilityThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2017:1221
RHSA-2017:1221 - Security Advisory - Red Hat Customer Portal
-
https://www.ibm.com/support/docview.wss?uid=swg22002169
IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology EditionPatch;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2017:3453
RHSA-2017:3453 - Security Advisory - Red Hat Customer Portal
Products affected by CVE-2017-1289
- IBM » SDK » Update Service Refresh 8 Fp41 Java Technology Edition EditionVersions up to, including, (<=) 6r1cpe:2.3:a:ibm:sdk:*:service_refresh_8_fp41:*:*:java_technology_edition:*:*:*
- IBM » SDK » Update Service Refresh 4 Fp1 Java Technology Edition EditionVersions up to, including, (<=) 7r1cpe:2.3:a:ibm:sdk:*:service_refresh_4_fp1:*:*:java_technology_edition:*:*:*
- IBM » SDK » Update Service Refresh 10 Fp1 Java Technology Edition EditionVersions up to, including, (<=) 7cpe:2.3:a:ibm:sdk:*:service_refresh_10_fp1:*:*:java_technology_edition:*:*:*
- IBM » SDK » Update Service Refresh 16 Fp41 Java Technology Edition EditionVersions up to, including, (<=) 6cpe:2.3:a:ibm:sdk:*:service_refresh_16_fp41:*:*:java_technology_edition:*:*:*
- IBM » SDK » Update Service Refresh 4 Fp2 Java Technology Edition EditionVersions up to, including, (<=) 8cpe:2.3:a:ibm:sdk:*:service_refresh_4_fp2:*:*:java_technology_edition:*:*:*