Vulnerability Name:

CVE-2021-23901 (CCN-195536)

Assigned:2021-01-24
Published:2021-01-24
Updated:2021-05-17
Summary:An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18.
CVSS v3 Severity:9.1 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
7.9 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-611
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-23901

Source: CCN
Type: Apache Web site
Apache Nutch

Source: XF
Type: UNKNOWN
apache-cve202123901-info-disc(195536)

Source: CONFIRM
Type: Issue Tracking, Patch, Vendor Advisory
N/A

Source: CONFIRM
Type: Mailing List, Vendor Advisory
N/A

Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[announce] 20210124 CVE-2021-23901: An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser

Source: MLIST
Type: Mailing List, Vendor Advisory
[nutch-dev] 20210125 Re: CVE-2021-23901: An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser

Source: CCN
Type: oss-sec Mailing List, Sun, 24 Jan 2021 13:37:50 -0800
CVE-2021-23901: An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210513-0003/

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-23901

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:nutch:*:*:*:*:*:*:*:* (Version < 1.18)

    • Configuration 2:
  • cpe:/a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:91691
    P
    		Security update for SUSE Manager Server 4.0 (Moderate)
    2021-02-12
    oval:org.opensuse.security:def:95982
    P
    		Security update for nutch-core (Moderate)
    2021-02-08
    BACK
    apache nutch *
    netapp snap creator framework -