Vulnerabilites related to Apache Software Foundation - Apache UIMA
CVE-2022-32287 (GCVE-0-2022-32287)
Vulnerability from cvelistv5
Published
2022-11-03 00:00
Modified
2025-05-02 20:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache UIMA |
Version: Java SDK < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:39:50.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
},
{
"name": "[oss-security] 20221103 CVE-2022-32287: Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-32287",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-02T20:24:12.849015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T20:24:43.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache UIMA",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.3.0",
"status": "affected",
"version": "Java SDK",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache UIMA would like to thank Huangzhicong from CodeSafe Team of Legendsec at Qi\u0027anxin Group"
}
],
"descriptions": [
{
"lang": "en",
"value": "A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-03T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
},
{
"name": "[oss-security] 20221103 CVE-2022-32287: Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-32287",
"datePublished": "2022-11-03T00:00:00.000Z",
"dateReserved": "2022-06-03T00:00:00.000Z",
"dateUpdated": "2025-05-02T20:24:43.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15691 (GCVE-0-2017-15691)
Vulnerability from cvelistv5
Published
2018-04-26 17:00
Modified
2024-09-16 23:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache UIMA |
Version: uimaj prior to 2.10.2 Version: uimaj 3.0.0-xxx prior to 3.0.0-beta Version: uima-as prior to 2.10.2 Version: uimaFIT prior to 2.4.0 Version: uimaDUCC prior to 2.2.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:04:48.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://uima.apache.org/security_report#CVE-2017-15691"
},
{
"name": "[uima-commits] 20190501 svn commit: r1858489 - in /uima/site/trunk/uima-website: docs/security_report.html xdocs/security_report.xml",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E"
},
{
"name": "RHSA-2019:1545",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1545"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache UIMA",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "uimaj prior to 2.10.2"
},
{
"status": "affected",
"version": "uimaj 3.0.0-xxx prior to 3.0.0-beta"
},
{
"status": "affected",
"version": "uima-as prior to 2.10.2"
},
{
"status": "affected",
"version": "uimaFIT prior to 2.4.0"
},
{
"status": "affected",
"version": "uimaDUCC prior to 2.2.2"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T23:06:05",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://uima.apache.org/security_report#CVE-2017-15691"
},
{
"name": "[uima-commits] 20190501 svn commit: r1858489 - in /uima/site/trunk/uima-website: docs/security_report.html xdocs/security_report.xml",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E"
},
{
"name": "RHSA-2019:1545",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1545"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2017-15691",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache UIMA",
"version": {
"version_data": [
{
"version_value": "uimaj prior to 2.10.2"
},
{
"version_value": "uimaj 3.0.0-xxx prior to 3.0.0-beta"
},
{
"version_value": "uima-as prior to 2.10.2"
},
{
"version_value": "uimaFIT prior to 2.4.0"
},
{
"version_value": "uimaDUCC prior to 2.2.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://uima.apache.org/security_report#CVE-2017-15691",
"refsource": "CONFIRM",
"url": "https://uima.apache.org/security_report#CVE-2017-15691"
},
{
"name": "[uima-commits] 20190501 svn commit: r1858489 - in /uima/site/trunk/uima-website: docs/security_report.html xdocs/security_report.xml",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79@%3Ccommits.uima.apache.org%3E"
},
{
"name": "RHSA-2019:1545",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1545"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-15691",
"datePublished": "2018-04-26T17:00:00Z",
"dateReserved": "2017-10-21T00:00:00",
"dateUpdated": "2024-09-16T23:42:23.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}