CVE-2015-1832

9.1CRITICAL

Key Information:

Vendor: Apache
Status: Derby
Vendor: CVE Published:; 3 October 2016

Summary

XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.

References

http://www.securityfocus.com/bid/93132

vdb-entryx_refsource_BID

https://lists.apache.org/thread.html/708d94141126eac03011...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 3, 2016
Vulnerability Reserved
Feb 17, 2015

.