CVE-2014-6517
OpenJDK: StAX parser parameter entity XXE (JAXP, 8039533)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and Jrockit R27.8.3 and R28.3.3 allows remote attackers to affect confidentiality via vectors related to JAXP.
Vulnerabilidad sin especificar en Oracle Java SE 6u81, 7u67, y 8u20; Java SE Embedded 7u60; y Jrockit R27.8.3 y R28.3.3, permite a atacantes remotos afectar a la confidencialidad a través de vectores relacionados con JAXP.
It was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-09-17 CVE Reserved
- 2014-10-15 CVE Published
- 2024-08-06 CVE Updated
- 2024-10-13 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (35)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html | 2022-05-13 |
URL | Date | SRC |
---|---|---|
http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00013.html | 2022-05-13 | |
http://marc.info/?l=bugtraq&m=141775382904016&w=2 | 2022-05-13 | |
http://rhn.redhat.com/errata/RHSA-2014-1620.html | 2022-05-13 | |
http://rhn.redhat.com/errata/RHSA-2014-1633.html | 2022-05-13 | |
http://rhn.redhat.com/errata/RHSA-2014-1634.html | 2022-05-13 | |
http://rhn.redhat.com/errata/RHSA-2014-1636.html | 2022-05-13 | |
http://rhn.redhat.com/errata/RHSA-2014-1657.html | 2022-05-13 | |
http://rhn.redhat.com/errata/RHSA-2014-1658.html | 2022-05-13 | |
http://security.gentoo.org/glsa/glsa-201502-12.xml | 2022-05-13 | |
http://www.debian.org/security/2014/dsa-3077 | 2022-05-13 | |
http://www.debian.org/security/2014/dsa-3080 | 2022-05-13 | |
http://www.ubuntu.com/usn/USN-2386-1 | 2022-05-13 | |
http://www.ubuntu.com/usn/USN-2388-1 | 2022-05-13 | |
http://www.ubuntu.com/usn/USN-2388-2 | 2022-05-13 | |
https://access.redhat.com/security/cve/CVE-2014-6517 | 2014-10-16 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1151364 | 2014-10-16 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Oracle Search vendor "Oracle" | Jrockit Search vendor "Oracle" for product "Jrockit" | r27.8.3 Search vendor "Oracle" for product "Jrockit" and version "r27.8.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jrockit Search vendor "Oracle" for product "Jrockit" | r28.3.3 Search vendor "Oracle" for product "Jrockit" and version "r28.3.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0" | update81 |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0" | update60 |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.6.0 Search vendor "Oracle" for product "Jre" and version "1.6.0" | update_81 |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0" | update_67 |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0" | update60 |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.8.0 Search vendor "Oracle" for product "Jre" and version "1.8.0" | update_20 |
Affected
|