CVE-2017-15691
CVE-2017-15691 is a medium-severity vulnerability in Apache Uimaj with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-611.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v2: 4.0
- EPSS exploit prediction: 9% (95th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-611
- Affected product: Apache Uimaj
- Published:
- Last modified:
Description
In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.
Frequently asked questions
- What is CVE-2017-15691?
- In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.
- How severe is CVE-2017-15691?
- CVE-2017-15691 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2017-15691 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 9% (95th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2017-15691?
- CVE-2017-15691 primarily affects Apache Uimaj. In total, 7 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-15691?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2017-15691 published?
- CVE-2017-15691 was published on 2018-04-26 and last updated on 2026-06-17.
References
- https://access.redhat.com/errata/RHSA-2019:1545
- https://lists.apache.org/thread.html/00407c65738e625a8cc9d732923a4ab2d8299603cc7c7e5cc2da9c79%40%3Ccommits.uima.apache.org%3E
- https://uima.apache.org/security_report#CVE-2017-15691
Affected products (7)
- cpe:2.3:a:apache:uimaj:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:uimaj:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:uimaj:3.0.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:uimaj:3.0.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:apache:uima-as:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:uimafit:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:uimaducc:*:*:*:*:*:*:*:*
More vulnerabilities in Apache Uimaj
- CVE-2023-39913 — High (CVSS 8.8): Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java…
- CVE-2022-32287 — High (CVSS 7.5): A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows…
All CVEs affecting Apache Uimaj →
Other CWE-611 (Improper Restriction of XML External Entity Reference (XXE)) vulnerabilities
- CVE-2022-22486 — Critical (CVSS 10.0): IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when…
- CVE-2019-14678 — Critical (CVSS 10.0): SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in…
- CVE-2015-9280 — Critical (CVSS 10.0): MailEnable before 8.60 allows XXE via an XML document in the request.aspx Options parameter.
- CVE-2018-1000838 — Critical (CVSS 10.0): autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result…
- CVE-2018-1000837 — Critical (CVSS 10.0): UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can…
- CVE-2018-1000835 — Critical (CVSS 10.0): KeePassDX version <= 2.5.0.0beta17 contains a XML External Entity (XXE) vulnerability in kdbx file parser that can…
Browse all CWE-611 (Improper Restriction of XML External Entity Reference (XXE)) vulnerabilities →