517310 – XML external entity (XXE) vulnerability in the derby.jar

Bug 517310 - XML external entity (XXE) vulnerability in the derby.jar

Summary: XML external entity (XXE) vulnerability in the derby.jar

Status:	NEW

Alias:	None

Product:	z_Archived
Classification:	Eclipse Foundation
Component:	BIRT (show other bugs)
Version:	4.4.1
Hardware:	PC All

Importance:	P3 critical (vote)
Target Milestone:	---
Assignee:	Birt-Report-inbox@eclipse.org
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-05-26 11:51 EDT by Marcelo HC
Modified:	2017-05-26 11:51 EDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcelo HC

2017-05-26 11:51:12 EDT

BIRT includes Apache Derby 10.5.1.1 which is affected by CVE-2015-1832 and CVE-2009-4269. Patches should be supplied to resolve the vulnerability for all supported releases.

https://nvd.nist.gov/vuln/detail/CVE-2015-1832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4269
https://nvd.nist.gov/vuln/detail/CVE-2009-4269

CVSS Severity for CVE-2015-1832: CRITICAL.