Vulnerability Details : CVE-2015-1832
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
Vulnerability category: XML external entity (XXE) injectionDenial of service
Products affected by CVE-2015-1832
- cpe:2.3:a:apache:derby:10.1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.8.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.7.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.10.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.9.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.5.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.5.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.11.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.6.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.8.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.8.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:derby:10.3.3.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-1832
0.76%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-1832
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:P |
10.0
|
4.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
3.9
|
5.2
|
NIST |
CWE ids for CVE-2015-1832
-
Assigned by: nvd@nist.gov (Primary)
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-1832
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020
-
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony Mail
-
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
Pony Mail!
-
https://issues.apache.org/jira/browse/DERBY-6807
[DERBY-6807] XXE attack possible by using XmlVTI and the XML datatype - ASF JIRAIssue Tracking
-
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Oracle Critical Patch Update - April 2019
-
http://www-01.ibm.com/support/docview.wss?uid=swg21990100
IBM Security Bulletin: Vulnerability in dependent component distributed in IBM Development Package for Apache Spark (CVE-2015-1832)Third Party Advisory
-
https://svn.apache.org/viewvc?view=revision&revision=1691461
[Apache-SVN] Revision 1691461Issue Tracking
-
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Oracle Critical Patch Update - January 2019
-
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report - Pony Mail
-
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony Mail
-
http://www.securityfocus.com/bid/93132
Apache Derby CVE-2015-1832 XML External Entity Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E
CVEs (vulnerabilities) that apply to Solr 8.4.1 - Pony Mail
Jump to