Vulnerabilites related to apache - uimaj
CVE-2023-39913 (GCVE-0-2023-39913)
Vulnerability from cvelistv5
Published
2023-11-08 08:04
Modified
2025-02-13 17:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0.
Users are recommended to upgrade to version 3.5.0, which fixes the issue.
There are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular:
* the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class;
* the CAS Editor Eclipse plugin which uses the the CasIOUtils class to load data;
* the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections;
* the CasAnnotationViewerApplet and the CasTreeViewerApplet;
* the checkpointing feature of the CPE module.
Note that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is not a serialized Java object.
When using Vinci or using CasIOUtils in own services/applications, the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution.
As a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf. https://openjdk.org/jeps/290 and https://openjdk.org/jeps/415 ) if running UIMA on a Java version that supports it.
Note that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue.
To mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the "jdk.serialFilter" system property using a semicolon as a separator:
To allow deserializing Java-serialized binary CASes, add the classes:
* org.apache.uima.cas.impl.CASCompleteSerializer
* org.apache.uima.cas.impl.CASMgrSerializer
* org.apache.uima.cas.impl.CASSerializer
* java.lang.String
To allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints):
* org.apache.uima.collection.impl.cpm.CheckpointData
* org.apache.uima.util.ProcessTrace
* org.apache.uima.util.impl.ProcessTrace_impl
* org.apache.uima.collection.base_cpm.SynchPoint
Make sure to use "!*" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern.
Apache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Apache Software Foundation | Apache UIMA Java SDK Core |
Version: 0 ≤ |
||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/08/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-39913",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T19:07:42.826793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T19:12:10.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.uima:uimaj-core",
"product": "Apache UIMA Java SDK Core",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.uima:uimaj-cpe",
"product": "Apache UIMA Java SDK CPE",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.uima:uimaj-adapter-vinci",
"product": "Apache UIMA Java SDK Vinci adapter",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.uima:uimaj-tools",
"product": "Apache UIMA Java SDK tools",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Huangzhicong from CodeSafe Team of Legendsec at Qi\u2019anxin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.\u003cp\u003eThis issue affects Apache UIMA Java SDK: before 3.5.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.5.0, which fixes the issue.\u003c/p\u003eThere are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular:\u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ethe deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ethe CAS Editor Eclipse plugin which uses the\u0026nbsp;the CasIOUtils class to load data;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ethe deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ethe CasAnnotationViewerApplet and the CasTreeViewerApplet;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ethe checkpointing feature of the CPE module.\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003eNote that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is \u003cb\u003enot\u003c/b\u003e a serialized Java object.\u003cbr\u003e\u003cbr\u003eWhen using Vinci or using CasIOUtils in own services/applications,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethe unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eAs a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf. \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://openjdk.org/jeps/290\"\u003ehttps://openjdk.org/jeps/290\u003c/a\u003e\u0026nbsp;and\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://openjdk.org/jeps/415\"\u003ehttps://openjdk.org/jeps/415\u003c/a\u003e) if running UIMA on a Java version that supports it. \u003cbr\u003e\u003cbr\u003eNote that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue.\u003cbr\u003e\u003cbr\u003eTo mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the \u003ci\u003e\"jdk.serialFilter\"\u003c/i\u003e system property using a semicolon as a separator:\u003cbr\u003e\u003cbr\u003eTo allow deserializing Java-serialized binary CASes, add the classes:\u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eorg.apache.uima.cas.impl.CASCompleteSerializer\u003c/span\u003e\u003c/li\u003e\u003cli\u003eorg.apache.uima.cas.impl.CASMgrSerializer\u003c/li\u003e\u003cli\u003eorg.apache.uima.cas.impl.CASSerializer\u003c/li\u003e\u003cli\u003ejava.lang.String\u003c/li\u003e\u003c/ul\u003eTo allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints):\u003cbr\u003e\u003cul\u003e\u003cli\u003eorg.apache.uima.collection.impl.cpm.CheckpointData\u003c/li\u003e\u003cli\u003eorg.apache.uima.util.ProcessTrace\u003c/li\u003e\u003cli\u003eorg.apache.uima.util.impl.ProcessTrace_impl\u003c/li\u003e\u003cli\u003eorg.apache.uima.collection.base_cpm.SynchPoint\u003c/li\u003e\u003c/ul\u003eMake sure to use \"!*\" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern.\u003cbr\u003e\u003cbr\u003eApache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue.\n\nThere are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular:\n * the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class;\n * the CAS Editor Eclipse plugin which uses the\u00a0the CasIOUtils class to load data;\n * the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections;\n * the CasAnnotationViewerApplet and the CasTreeViewerApplet;\n * the checkpointing feature of the CPE module.\n\nNote that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is not a serialized Java object.\n\nWhen using Vinci or using CasIOUtils in own services/applications,\u00a0the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution.\n\nAs a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf. https://openjdk.org/jeps/290 \u00a0and\u00a0 https://openjdk.org/jeps/415 ) if running UIMA on a Java version that supports it. \n\nNote that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue.\n\nTo mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the \"jdk.serialFilter\" system property using a semicolon as a separator:\n\nTo allow deserializing Java-serialized binary CASes, add the classes:\n * org.apache.uima.cas.impl.CASCompleteSerializer\n * org.apache.uima.cas.impl.CASMgrSerializer\n * org.apache.uima.cas.impl.CASSerializer\n * java.lang.String\n\nTo allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints):\n * org.apache.uima.collection.impl.cpm.CheckpointData\n * org.apache.uima.util.ProcessTrace\n * org.apache.uima.util.impl.ProcessTrace_impl\n * org.apache.uima.collection.base_cpm.SynchPoint\n\nMake sure to use \"!*\" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern.\n\nApache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-08T08:06:03.766Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/11/08/1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache UIMA Java SDK Core, Apache UIMA Java SDK CPE, Apache UIMA Java SDK Vinci adapter, Apache UIMA Java SDK tools: Potential untrusted code execution when deserializing certain binary CAS formats",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-39913",
"datePublished": "2023-11-08T08:04:23.911Z",
"dateReserved": "2023-08-07T09:15:50.297Z",
"dateUpdated": "2025-02-13T17:03:15.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32287 (GCVE-0-2022-32287)
Vulnerability from cvelistv5
Published
2022-11-03 00:00
Modified
2025-05-02 20:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache UIMA |
Version: Java SDK < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:39:50.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
},
{
"name": "[oss-security] 20221103 CVE-2022-32287: Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-32287",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-02T20:24:12.849015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T20:24:43.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache UIMA",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.3.0",
"status": "affected",
"version": "Java SDK",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache UIMA would like to thank Huangzhicong from CodeSafe Team of Legendsec at Qi\u0027anxin Group"
}
],
"descriptions": [
{
"lang": "en",
"value": "A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-03T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
},
{
"name": "[oss-security] 20221103 CVE-2022-32287: Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-32287",
"datePublished": "2022-11-03T00:00:00.000Z",
"dateReserved": "2022-06-03T00:00:00.000Z",
"dateUpdated": "2025-05-02T20:24:43.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15691 (GCVE-0-2017-15691)
Vulnerability from cvelistv5
Published
2018-04-26 17:00
Modified
2024-09-16 23:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache UIMA |
Version: uimaj prior to 2.10.2 Version: uimaj 3.0.0-xxx prior to 3.0.0-beta Version: uima-as prior to 2.10.2 Version: uimaFIT prior to 2.4.0 Version: uimaDUCC prior to 2.2.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:04:48.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://uima.apache.org/security_report#CVE-2017-15691"
},
{
"name": "[uima-commits] 20190501 svn commit: r1858489 - in /uima/site/trunk/uima-website: docs/security_report.html xdocs/security_report.xml",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E"
},
{
"name": "RHSA-2019:1545",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1545"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache UIMA",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "uimaj prior to 2.10.2"
},
{
"status": "affected",
"version": "uimaj 3.0.0-xxx prior to 3.0.0-beta"
},
{
"status": "affected",
"version": "uima-as prior to 2.10.2"
},
{
"status": "affected",
"version": "uimaFIT prior to 2.4.0"
},
{
"status": "affected",
"version": "uimaDUCC prior to 2.2.2"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T23:06:05",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://uima.apache.org/security_report#CVE-2017-15691"
},
{
"name": "[uima-commits] 20190501 svn commit: r1858489 - in /uima/site/trunk/uima-website: docs/security_report.html xdocs/security_report.xml",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E"
},
{
"name": "RHSA-2019:1545",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1545"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2017-15691",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache UIMA",
"version": {
"version_data": [
{
"version_value": "uimaj prior to 2.10.2"
},
{
"version_value": "uimaj 3.0.0-xxx prior to 3.0.0-beta"
},
{
"version_value": "uima-as prior to 2.10.2"
},
{
"version_value": "uimaFIT prior to 2.4.0"
},
{
"version_value": "uimaDUCC prior to 2.2.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://uima.apache.org/security_report#CVE-2017-15691",
"refsource": "CONFIRM",
"url": "https://uima.apache.org/security_report#CVE-2017-15691"
},
{
"name": "[uima-commits] 20190501 svn commit: r1858489 - in /uima/site/trunk/uima-website: docs/security_report.html xdocs/security_report.xml",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79@%3Ccommits.uima.apache.org%3E"
},
{
"name": "RHSA-2019:1545",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1545"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-15691",
"datePublished": "2018-04-26T17:00:00Z",
"dateReserved": "2017-10-21T00:00:00",
"dateUpdated": "2024-09-16T23:42:23.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-11-08 08:15
Modified
2025-02-13 17:16
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0.
Users are recommended to upgrade to version 3.5.0, which fixes the issue.
There are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular:
* the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class;
* the CAS Editor Eclipse plugin which uses the the CasIOUtils class to load data;
* the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections;
* the CasAnnotationViewerApplet and the CasTreeViewerApplet;
* the checkpointing feature of the CPE module.
Note that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is not a serialized Java object.
When using Vinci or using CasIOUtils in own services/applications, the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution.
As a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf. https://openjdk.org/jeps/290 and https://openjdk.org/jeps/415 ) if running UIMA on a Java version that supports it.
Note that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue.
To mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the "jdk.serialFilter" system property using a semicolon as a separator:
To allow deserializing Java-serialized binary CASes, add the classes:
* org.apache.uima.cas.impl.CASCompleteSerializer
* org.apache.uima.cas.impl.CASMgrSerializer
* org.apache.uima.cas.impl.CASSerializer
* java.lang.String
To allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints):
* org.apache.uima.collection.impl.cpm.CheckpointData
* org.apache.uima.util.ProcessTrace
* org.apache.uima.util.impl.ProcessTrace_impl
* org.apache.uima.collection.base_cpm.SynchPoint
Make sure to use "!*" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern.
Apache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:uimaj:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0660629-7E58-403B-BB1E-AC1F7ACD65E9",
"versionEndExcluding": "3.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue.\n\nThere are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular:\n * the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class;\n * the CAS Editor Eclipse plugin which uses the\u00a0the CasIOUtils class to load data;\n * the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections;\n * the CasAnnotationViewerApplet and the CasTreeViewerApplet;\n * the checkpointing feature of the CPE module.\n\nNote that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is not a serialized Java object.\n\nWhen using Vinci or using CasIOUtils in own services/applications,\u00a0the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution.\n\nAs a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf. https://openjdk.org/jeps/290 \u00a0and\u00a0 https://openjdk.org/jeps/415 ) if running UIMA on a Java version that supports it. \n\nNote that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue.\n\nTo mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the \"jdk.serialFilter\" system property using a semicolon as a separator:\n\nTo allow deserializing Java-serialized binary CASes, add the classes:\n * org.apache.uima.cas.impl.CASCompleteSerializer\n * org.apache.uima.cas.impl.CASMgrSerializer\n * org.apache.uima.cas.impl.CASSerializer\n * java.lang.String\n\nTo allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints):\n * org.apache.uima.collection.impl.cpm.CheckpointData\n * org.apache.uima.util.ProcessTrace\n * org.apache.uima.util.impl.ProcessTrace_impl\n * org.apache.uima.collection.base_cpm.SynchPoint\n\nMake sure to use \"!*\" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern.\n\nApache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version."
},
{
"lang": "es",
"value": "Deserializaci\u00f3n de datos que no son de confianza, vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache UIMA Java SDK. Este problema afecta a Apache UIMA Java SDK: anterior a 3.5.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 3.5.0, que soluciona el problema. Hay varias ubicaciones en el c\u00f3digo donde los objetos Java serializados se deserializan sin verificar los datos. Esto afecta en particular: * a la deserializaci\u00f3n de un CAS serializado en Java, pero tambi\u00e9n a otros formatos binarios de CAS que incluyen informaci\u00f3n TSI utilizando la clase CasIOUtils; * el complemento CAS Editor Eclipse que utiliza la clase CasIOUtils para cargar datos; * la deserializaci\u00f3n de un CAS serializado en Java del servicio Vinci Analysis Engine que puede recibir objetos CAS serializados en Java a trav\u00e9s de conexiones de red; * el CasAnnotationViewerApplet y el CasTreeViewerApplet; * la funci\u00f3n de puntos de control del m\u00f3dulo CPE. Tenga en cuenta que el framework UIMA de forma predeterminada no inicia ning\u00fan servicio accesible de forma remota (es decir, Vinci) que ser\u00eda vulnerable a este problema. Un usuario o desarrollador tendr\u00eda que tomar una decisi\u00f3n activa para iniciar dicho servicio. Sin embargo, los usuarios o desarrolladores pueden utilizar CasIOUtils en sus propias aplicaciones y servicios para analizar datos CAS serializados. Se ven afectados por este problema a menos que se aseguren de que los datos pasados a CasIOUtils no sean un objeto Java serializado. Cuando se utiliza Vinci o CasIOUtils en servicios/aplicaciones propios, la deserializaci\u00f3n sin restricciones de archivos CAS serializados en Java puede permitir la ejecuci\u00f3n de c\u00f3digo arbitrario (remoto). Como soluci\u00f3n, es posible configurar un ObjectInputFilter global o espec\u00edfico del contexto (cf. https://openjdk.org/jeps/290 y https://openjdk.org/jeps/415) si se ejecuta UIMA en un sistema Java versi\u00f3n que lo soporta. Tenga en cuenta que Java 1.8 no es compatible con ObjectInputFilter, por lo que no hay soluci\u00f3n cuando se ejecuta en esta plataforma que no es compatible. Se recomienda encarecidamente actualizar a una versi\u00f3n reciente de Java si necesita proteger una versi\u00f3n de UIMA afectada por este problema. Para mitigar el problema en una plataforma Java 9+, puede configurar un patr\u00f3n de filtro a trav\u00e9s de la propiedad del sistema \"jdk.serialFilter\" usando un punto y coma, como separador: Para permitir deserializar CAS binarios serializados en Java, agregue las clases: * org.apache .uima.cas.impl.CASCompleteSerializer * org.apache.uima.cas.impl.CASMgrSerializer * org.apache.uima.cas.impl.CASSerializer * java.lang.String Para permitir la deserializaci\u00f3n de datos de CPE Checkpoint, agregue las siguientes clases ( y cualquier clase personalizada que su aplicaci\u00f3n utilice para almacenar sus puntos de control): * org.apache.uima.collection.impl.cpm.CheckpointData * org.apache.uima.util.ProcessTrace * org.apache.uima.util.impl.ProcessTrace_impl * org.apache.uima.collection.base_cpm.SynchPoint Aseg\u00farese de utilizar \"!*\" como componente final del patr\u00f3n de filtro para no permitir la deserializaci\u00f3n de cualquier clase que no figure en el patr\u00f3n. Apache UIMA 3.5.0 utiliza ObjectInputFilters de alcance estricto al leer datos serializados en Java, seg\u00fan el tipo de datos que se espera. No es necesario configurar un filtro global con esta versi\u00f3n."
}
],
"id": "CVE-2023-39913",
"lastModified": "2025-02-13T17:16:54.320",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-11-08T08:15:08.883",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/08/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/08/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-03 12:15
Modified
2025-05-02 21:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/11/03/4 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/11/03/4 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:uimaj:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38551E47-3B39-469A-A59C-FA02819BD0B8",
"versionEndIncluding": "3.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine."
},
{
"lang": "es",
"value": "Una vulnerabilidad de path traversal en una clase FileUtil utilizada por el componente de administraci\u00f3n PEAR de Apache UIMA permite a un atacante crear archivos fuera del directorio de destino designado utilizando nombres de entrada ZIP cuidadosamente manipulados. Este problema afecta a Apache UIMA Apache UIMA versi\u00f3n 3.3.0 y versiones anteriores. Tenga en cuenta que los archivos PEAR nunca deben instalarse en una instalaci\u00f3n UIMA desde fuentes que no sean de confianza porque los archivos PEAR son complementos ejecutables que podr\u00e1n realizar cualquier acci\u00f3n con los mismos privilegios que la m\u00e1quina virtual Java host."
}
],
"id": "CVE-2022-32287",
"lastModified": "2025-05-02T21:15:17.520",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-03T12:15:09.743",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-04-26 17:29
Modified
2024-11-21 03:15
Severity ?
Summary
In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:uimaj:*:*:*:*:*:*:*:*",
"matchCriteriaId": "97A78884-7491-462D-AF97-62DD47C9269C",
"versionEndExcluding": "2.10.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:uimaj:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C2EA72A9-1FF4-4A61-8C4B-F79324E8BA6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:uimaj:3.0.0:alpha:*:*:*:*:*:*",
"matchCriteriaId": "81712F4E-9DDD-4FC0-A0AB-D71995D90B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:uimaj:3.0.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "96910D04-F0D5-41CD-92D4-2AE1FF355317",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:uima-as:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F7CC83F8-D102-4B60-9F2D-AA56C93272E5",
"versionEndExcluding": "2.10.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:uimafit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72C5A564-55B8-4D54-BA0A-6B311F4AB356",
"versionEndExcluding": "2.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:uimaducc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5DB6C37E-E654-42A8-AC6B-A82221FFBDB1",
"versionEndExcluding": "2.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content."
},
{
"lang": "es",
"value": "En Apache uimaj en versiones anteriores a la 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as anteriores a la 2.10.2, Apache uimaFIT anteriores a la 2.4.0 y Apache uimaDUCC anteriores a la 2.2.2, esta vulnerabilidad est\u00e1 relacionada con una capacidad de expansi\u00f3n XEE (XML External Entity) de varios analizadores sint\u00e1cticos de archivos XML. UIMA, como parte de su configuraci\u00f3n y operaci\u00f3n, puede leer XML desde varios or\u00edgenes, los cuales se pueden corromper para provocar fugas inadvertidas de archivos locales u otro contenido interno."
}
],
"id": "CVE-2017-15691",
"lastModified": "2024-11-21T03:15:00.780",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-04-26T17:29:00.293",
"references": [
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2019:1545"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://uima.apache.org/security_report#CVE-2017-15691"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:1545"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://uima.apache.org/security_report#CVE-2017-15691"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}