CVE-2015-1832
high-risk
Published 2016-10-03
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
Do I need to act?
-
0.82% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Derby
Affected Vendors
References (26)
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21990100
Third Party Advisory
http://www.securityfocus.com/bid/93132
Issue Tracking
https://issues.apache.org/jira/browse/DERBY-6807
Issue Tracking
https://svn.apache.org/viewvc?view=revision&revision=1691461
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21990100
Third Party Advisory
http://www.securityfocus.com/bid/93132
Issue Tracking
https://issues.apache.org/jira/browse/DERBY-6807
and 6 more references
54
/ 100
high-risk
Severity
31/34 · Critical
Exploitability
3/34 · Minimal
Exposure
20/34 · Moderate