CVE-2017-1000061
Publication date 17 July 2017
Last updated 24 July 2024
Ubuntu priority
xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service
From the Ubuntu Security Team
It was discovered that xmlsec incorrectly handled certain input documents. An attacker could possibly use this issue to obtain sensitive information or cause a denial of service.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| xmlsec1 | ||
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 1.2.20-2ubuntu4+esm1
|
|
| 14.04 LTS trusty |
Fixed 1.2.18-2ubuntu1+esm1
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
rodrigo-zaiden
for full protection, libxml2 should be patched against CVE-2016-9318. in a patched version of xmlsec1 tool, if needed, parsing external entities can be forced with --xxe option.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.1 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5674-1
- XML Security Library vulnerability
- 13 October 2022