CVE-2012-0037 : Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 B

Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x before 3.5.1, and other products, allows user-assisted remote attackers to read arbitrary files via a crafted XML external entity (XXE) declaration and reference in an RDF document.

Published 2012-06-17 03:41:40

Updated 2025-04-11 00:51:22

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injection

Products affected by CVE-2012-0037

Debian » Debian Linux » Version: 6.0
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 5.0
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 6.2
cpe:2.3:o:redhat:enterprise_linux_eus:6.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 5.0
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 5.0
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 6.2
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.2:*:*:*:*:*:*:*
Matching versions
Redhat » Storage » Version: 2.0
cpe:2.3:a:redhat:storage:2.0:*:*:*:*:*:*:*
Matching versions
Redhat » Storage For Public Cloud » Version: 2.0
cpe:2.3:a:redhat:storage_for_public_cloud:2.0:*:*:*:*:*:*:*
Matching versions
Redhat » Gluster Storage Server For On-premise » Version: 2.0
cpe:2.3:a:redhat:gluster_storage_server_for_on-premise:2.0:*:*:*:*:*:*:*
Matching versions
Apache » Openoffice » Version: 3.3.0
cpe:2.3:a:apache:openoffice:3.3.0:*:*:*:*:*:*:*
Matching versions
Apache » Openoffice » Version: 3.4.0 Update Beta
cpe:2.3:a:apache:openoffice:3.4.0:beta:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 17
cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 16
cpe:2.3:o:fedoraproject:fedora:16:*:*:*:*:*:*:*
Matching versions
Libreoffice » Libreoffice
Versions before (<) 3.4.6
cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*
Matching versions
Libreoffice » Libreoffice » Version: 3.5.0
cpe:2.3:a:libreoffice:libreoffice:3.5.0:*:*:*:*:*:*:*
Matching versions
Librdf » Raptor
Versions before (<) 2.0.7
cpe:2.3:a:librdf:raptor:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2012-0037

EPSS FAQ

0.58%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 66 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2012-0037

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	2.8	3.6	NIST	2024-02-15
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2012-0037

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)
CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-0037

http://rhn.redhat.com/errata/RHSA-2012-0410.html

RHSA-2012:0410 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
http://secunia.com/advisories/48479

Sign in
Broken Link;Vendor Advisory
http://blog.documentfoundation.org/2012/03/22/tdf-announces-libreoffice-3-4-6/

TDF announces LibreOffice 3.4.6 - The Document Foundation Blog
Release Notes
http://www.openwall.com/lists/oss-security/2012/03/27/4

oss-security - Fwd: CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
Exploit;Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2012:063

mandriva.com
Broken Link
http://www.libreoffice.org/advisories/CVE-2012-0037/

CVE-2012-0037 | LibreOffice - Free Office Suite - Fun Project - Fantastic People
Vendor Advisory
http://security.gentoo.org/glsa/glsa-201209-05.xml

LibreOffice: Multiple vulnerabilities (GLSA 201209-05) — Gentoo security
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2012-0411.html

RHSA-2012:0411 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
http://secunia.com/advisories/48494

Sign in
Broken Link
http://vsecurity.com/resources/advisory/20120324-1/

VSR | 404 Not Found
Broken Link
http://secunia.com/advisories/48526

Sign in
Broken Link;Vendor Advisory
http://secunia.com/advisories/50692

Sign in
Broken Link

CVEs referencing this url
http://secunia.com/advisories/48529

Sign in
Broken Link;Vendor Advisory
http://www.securitytracker.com/id?1026837

OpenOffice.org XML External Entity Processing Lets Remote Users Obtain Potentially Sensitive Information - SecurityTracker
Broken Link;Third Party Advisory;VDB Entry
http://secunia.com/advisories/48493

Sign in
Broken Link;Vendor Advisory
http://www.openoffice.org/security/cves/CVE-2012-0037.html

CVE-2012-0037
Mitigation;Patch
http://www.mandriva.com/security/advisories?name=MDVSA-2012:061

mandriva.com
Broken Link
http://secunia.com/advisories/60799

Sign in
Broken Link

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077708.html

[SECURITY] Fedora 17 Update: raptor2-2.0.7-1.fc17
Mailing List
https://lists.apache.org/thread.html/re0504f08000df786e51795940501e81a5d0ae981ecca68141e87ece0%40%3Ccommits.openoffice.apache.org%3E

svn commit: r1874832 - in /openoffice/ooo-site/trunk/content: download/checksums.html download/globalvars.js download/test/globalvars.js security/cves/CVE-2012-0037.html security/cves/CVE-2013-1571.ht
Mailing List;Patch

CVEs referencing this url
http://secunia.com/advisories/48649

Sign in
Broken Link
http://www.securityfocus.com/bid/52681

Raptor XML External Entity Information Disclosure Vulnerability
Broken Link;Third Party Advisory;VDB Entry
http://librdf.org/raptor/RELEASE.html#rel2_0_7

Raptor RDF Syntax Library - Release Notes
Release Notes
https://github.com/dajobe/raptor/commit/a676f235309a59d4aa78eeffd2574ae5d341fcb0

CVE-2012-0037 · dajobe/raptor@a676f23 · GitHub
Patch
http://www.osvdb.org/80307

404 Not Found
Broken Link
http://www.debian.org/security/2012/dsa-2438

Debian -- Security Information -- DSA-2438-1 raptor
Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2012:062

mandriva.com
Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/74235

OpenOffice.org XML information disclosure CVE-2012-0037 Vulnerability Report
Third Party Advisory;VDB Entry
http://secunia.com/advisories/48542

Sign in
Broken Link;Vendor Advisory
http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml

OpenOffice, LibreOffice: Multiple vulnerabilities (GLSA 201408-19) — Gentoo security
Third Party Advisory

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078242.html

[SECURITY] Fedora 16 Update: raptor2-2.0.7-1.fc16
Mailing List

Jump to

Vulnerability Details : CVE-2012-0037

Products affected by CVE-2012-0037

Exploit prediction scoring system (EPSS) score for CVE-2012-0037

CVSS scores for CVE-2012-0037

CWE ids for CVE-2012-0037

References for CVE-2012-0037