CVE-2014-125087 : A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as pro

A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch is e6fddca201790abab4f2c274341c0bb8835c3e73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221480.

Published 2023-02-19 17:15:11

Updated 2024-05-17 00:58:22

Source VulDB

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injection

Products affected by CVE-2014-125087

Java-xmlbuilder Project » Java-xmlbuilder
Versions before (<) 1.2
cpe:2.3:a:java-xmlbuilder_project:java-xmlbuilder:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-125087

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 13 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-125087

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.2	MEDIUM	AV:A/AC:L/Au:S/C:P/I:P/A:P	5.1	6.4	VulDB
Access Vector: Adjacent Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
5.5	MEDIUM	CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	2.1	3.4	VulDB
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low
5.5	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	2.1	3.4	VulDB	2024-02-08
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2014-125087

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Assigned by: cna@vuldb.com (Primary)

References for CVE-2014-125087

https://vuldb.com/?id.221480

Login required
Third Party Advisory
https://vuldb.com/?ctiid.221480

Login required
Permissions Required;Third Party Advisory
https://github.com/jmurty/java-xmlbuilder/releases/tag/v1.2

Release v1.2 · jmurty/java-xmlbuilder · GitHub
Release Notes
https://security.netapp.com/advisory/ntap-20240208-0009/

CVE-2014-125087 java-xmlbuilder Vulnerability in NetApp Products | NetApp Product Security
https://github.com/jmurty/java-xmlbuilder/issues/6

XMLBuilder2 is vulnerable to XML External Entity (XXE) injection · Issue #6 · jmurty/java-xmlbuilder · GitHub
Exploit
https://github.com/jmurty/java-xmlbuilder/commit/e6fddca201790abab4f2c274341c0bb8835c3e73

Disable external entities by default to prevent XXE injection attacks… · jmurty/java-xmlbuilder@e6fddca · GitHub
Patch

Jump to

Vulnerability Details : CVE-2014-125087

Products affected by CVE-2014-125087

Exploit prediction scoring system (EPSS) score for CVE-2014-125087

CVSS scores for CVE-2014-125087

CWE ids for CVE-2014-125087

References for CVE-2014-125087