Vulnerability Name: | CVE-2008-0628 (CCN-40156) | ||||||||||||||||
Assigned: | 2008-01-30 | ||||||||||||||||
Published: | 2008-01-30 | ||||||||||||||||
Updated: | 2018-10-15 | ||||||||||||||||
Summary: | The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external general entities" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources. | ||||||||||||||||
CVSS v3 Severity: | 6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
| ||||||||||||||||
CVSS v2 Severity: | 7.8 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:C) 5.8 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:C/E:U/RL:OF/RC:C)
4.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:P/E:U/RL:OF/RC:C)
| ||||||||||||||||
Vulnerability Type: | CWE-264 | ||||||||||||||||
Vulnerability Consequences: | Bypass Security | ||||||||||||||||
References: | Source: MITRE Type: CNA CVE-2008-0628 Source: BEA Type: UNKNOWN BEA08-201.00 Source: CCN Type: RHSA-2008-0245 Moderate: java-1.6.0-bea security update Source: MISC Type: UNKNOWN http://scary.beasts.org/security/CESA-2007-002.html Source: CCN Type: SA28746 Sun Java Runtime Environment External XML Entities Security Bypass Source: SECUNIA Type: Patch, Vendor Advisory 28746 Source: CCN Type: SA29841 BEA JRockit Multiple Vulnerabilities Source: SECUNIA Type: UNKNOWN 29841 Source: SECUNIA Type: UNKNOWN 29858 Source: SECUNIA Type: UNKNOWN 30780 Source: GENTOO Type: UNKNOWN GLSA-200804-28 Source: SREASON Type: UNKNOWN 3621 Source: CCN Type: SECTRACK ID: 1019292 Java Runtime Environment (JRE) XML External Entity Property Lets Remote Users Access URL Resources Source: CCN Type: Sun Alert ID: 231246 A Vulnerability in the Java Runtime Environment XML Parsing Code May Allow URL Resources to be Accessed Source: SUNALERT Type: UNKNOWN 231246 Source: CCN Type: ASA-2008-056 A Vulnerability in the Java Runtime Environment XML Parsing Code May Allow URL Resources to be Accessed (Sun 231246) Source: CCN Type: GLSA 200804-28 JRockit: Multiple vulnerabilities Source: CCN Type: GLSA-200804-20 Sun JDK/JRE: Multiple vulnerabilities Source: GENTOO Type: UNKNOWN GLSA-200804-20 Source: GENTOO Type: UNKNOWN GLSA-200806-11 Source: REDHAT Type: UNKNOWN RHSA-2008:0245 Source: BUGTRAQ Type: UNKNOWN 20080202 Sun JRE / JDK bug introduces XXE possibilities Source: BID Type: UNKNOWN 27553 Source: CCN Type: BID-27553 Sun Java RunTime Environment XML Parsing Unspecified Vulnerability Source: SECTRACK Type: UNKNOWN 1019292 Source: VUPEN Type: UNKNOWN ADV-2008-0371 Source: VUPEN Type: UNKNOWN ADV-2008-1252 Source: XF Type: UNKNOWN jre-externalgeneralentities-security-bypass(40156) Source: OVAL Type: UNKNOWN oval:org.mitre.oval:def:9847 Source: CCN Type: BEA08-201.00 Multiple Security Vulnerabilities in the Java Runtime Environment | ||||||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration RedHat 1: Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||||||
Oval Definitions | |||||||||||||||||
| |||||||||||||||||
BACK |