Vulnerability Name:

CCN-13248

Published:2003-09-22
Updated:2003-09-22
Summary:Sun Microsystem's Java 2 SDK Standard Edition is vulnerable to a denial of service, caused by a vulnerability in JAXP. The Java API for XML Processing (JAXP) is used to process XML documents. If a remote attacker with access to Java based applications that accepts and parses XML documents nests entity definitions within an XML document, the attacker can cause the server consume 100% of the available CPU resources, which would result in a denial of service.
CVSS v3 Severity:7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Denial of Service
References:Source: CCN
Type: Java Web site
Java 2 Platform, Standard Edition (J2SE) Release Notes

Source: CCN
Type: BID-8666
Sun Java XML Document Nested Entity Denial Of Service Vulnerability

Source: XF
Type: UNKNOWN
java-jaxp-xml-dos(13248)

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:sun:jre:1.2.2::linux_production:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.1:-:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.4.1:-:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.4.2:-:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.1.8:update13:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.1.8:update14:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.1.8:update7:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.1.8:update8:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.2.2:update10:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.0:-:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.0:update1:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.0:update2:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.0:update3:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.0:update4:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.0:update5:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.1:update1:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.1:update15:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.1:update16:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.1:update18:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.1:update19:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.1:update1a:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.1:update20:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.1:update4:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.1:update8:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.4.1:update3:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.1:update2:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.1:update12:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.3.1:update17:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.4.1:update1:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.4.1:update2:*:*:*:*:*:*
  • OR cpe:/a:sun:jre:1.4.1:update7:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sun jre 1.2.2
    sun jre 1.3.1
    sun jre 1.4.0
    sun jre 1.4.1
    sun jre 1.4.2
    sun jre 1.1.8 update13
    sun jre 1.1.8 update14
    sun jre 1.1.8 update7
    sun jre 1.1.8 update8
    sun jre 1.2.2 update10
    sun jre 1.3.0
    sun jre 1.3.0 update1
    sun jre 1.3.0 update2
    sun jre 1.3.0 update3
    sun jre 1.3.0 update4
    sun jre 1.3.0 update5
    sun jre 1.3.1 update1
    sun jre 1.3.1 update15
    sun jre 1.3.1 update16
    sun jre 1.3.1 update18
    sun jre 1.3.1 update19
    sun jre 1.3.1 update1a
    sun jre 1.3.1 update20
    sun jre 1.3.1 update4
    sun jre 1.3.1 update8
    sun jre 1.4.1 update3
    sun jre 1.3.1 update2
    sun jre 1.3.1 update12
    sun jre 1.3.1 update17
    sun jre 1.4.1 update1
    sun jre 1.4.1 update2
    sun jre 1.4.1 update7