CVE-2015-1832: XEE
First published: Mon Oct 03 2016(Updated: )
Apache Derby could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML datatype and XmlVTI. An attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Derby | =10.1.1.0 | |
| Apache Derby | =10.1.2.1 | |
| Apache Derby | =10.1.3.1 | |
| Apache Derby | =10.2.1.6 | |
| Apache Derby | =10.2.2.0 | |
| Apache Derby | =10.3.3.0 | |
| Apache Derby | =10.4.1.3 | |
| Apache Derby | =10.4.2.0 | |
| Apache Derby | =10.5.1.1 | |
| Apache Derby | =10.5.3.0 | |
| Apache Derby | =10.6.1.0 | |
| Apache Derby | =10.6.2.1 | |
| Apache Derby | =10.7.1.1 | |
| Apache Derby | =10.8.1.2 | |
| Apache Derby | =10.8.2.2 | |
| Apache Derby | =10.8.3.0 | |
| Apache Derby | =10.9.1.0 | |
| Apache Derby | =10.10.1.1 | |
| Apache Derby | =10.10.2.0 | |
| Apache Derby | =10.11.1.1 | |
| IBM RDNG | <=6.0.2 | |
| IBM DOORS Next | <=7.0 | |
| IBM DOORS Next | <=7.0.1 | |
| IBM DOORS Next | <=7.0.2 | |
| IBM RDNG | <=6.0.6.1 | |
| IBM RDNG | <=6.0.6 | |
| IBM Pub | <=7.0.1 | |
| IBM Pub | <=7.0.2 | |
| IBM Pub | <=7.0 | |
| IBM EWM | <=7.0.2 | |
| IBM EWM | <=7.0.1 | |
| IBM RTC | <=6.0.2 | |
| IBM RTC | <=6.0.6.1 | |
| IBM EWM | <=7.0 | |
| IBM RTC | <=6.0.6 | |
| IBM Global Configuration Management | <=All | |
| IBM ETM | <=7.0.2 | |
| IBM RQM | <=6.0.6.1 | |
| IBM ETM | <=7.0.1 | |
| IBM RQM | <=6.0.6 | |
| IBM ETM | <=7.0.0 | |
| IBM RQM | <=6.0.2 | |
| IBM Engineering Requirements Quality Assistant On-Premises | <=All |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www-01.ibm.com/support/docview.wss?uid=swg21990100
- http://www.securityfocus.com/bid/93132
- https://issues.apache.org/jira/browse/DERBY-6807
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E
- https://svn.apache.org/viewvc?view=revision&revision=1691461
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/115625
- https://www.ibm.com/support/pages/node/6417585 (Advisory)
Frequently Asked Questions
What is CVE-2015-1832?
CVE-2015-1832 is a vulnerability in Apache Derby that allows a remote attacker to obtain sensitive information or cause a denial of service.
What is the severity of CVE-2015-1832?
The severity of CVE-2015-1832 is critical with a CVSS score of 9.1.
How does CVE-2015-1832 affect Apache Derby?
CVE-2015-1832 affects Apache Derby versions before 10.12.1.1.
How can a remote attacker exploit CVE-2015-1832?
A remote attacker can exploit CVE-2015-1832 by leveraging XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby.
Is there a fix available for CVE-2015-1832?
Yes, the fix for CVE-2015-1832 is available in Apache Derby version 10.12.1.1 and later.
- collector/nvd-index
- agent/type
- agent/severity
- agent/author
- agent/weakness
- agent/description
- agent/first-publish-date
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- agent/event
- vendor/apache
- canonical/apache derby
- version/apache derby/10.1.1.0
- version/apache derby/10.1.2.1
- version/apache derby/10.1.3.1
- version/apache derby/10.2.1.6
- version/apache derby/10.2.2.0
- version/apache derby/10.3.3.0
- version/apache derby/10.4.1.3
- version/apache derby/10.4.2.0
- version/apache derby/10.5.1.1
- version/apache derby/10.5.3.0
- version/apache derby/10.6.1.0
- version/apache derby/10.6.2.1
- version/apache derby/10.7.1.1
- version/apache derby/10.8.1.2
- version/apache derby/10.8.2.2
- version/apache derby/10.8.3.0
- version/apache derby/10.9.1.0
- version/apache derby/10.10.1.1
- version/apache derby/10.10.2.0
- version/apache derby/10.11.1.1
- vendor/ibm
- canonical/ibm rdng
- version/ibm rdng/6.0.2
- canonical/ibm doors next
- version/ibm doors next/7.0
- version/ibm doors next/7.0.1
- version/ibm doors next/7.0.2
- version/ibm rdng/6.0.6.1
- version/ibm rdng/6.0.6
- canonical/ibm pub
- version/ibm pub/7.0.1
- version/ibm pub/7.0.2
- version/ibm pub/7.0
- canonical/ibm ewm
- version/ibm ewm/7.0.2
- version/ibm ewm/7.0.1
- canonical/ibm rtc
- version/ibm rtc/6.0.2
- version/ibm rtc/6.0.6.1
- version/ibm ewm/7.0
- version/ibm rtc/6.0.6
- canonical/ibm global configuration management
- version/ibm global configuration management/all
- canonical/ibm etm
- version/ibm etm/7.0.2
- canonical/ibm rqm
- version/ibm rqm/6.0.6.1
- version/ibm etm/7.0.1
- version/ibm rqm/6.0.6
- version/ibm etm/7.0.0
- version/ibm rqm/6.0.2
- canonical/ibm engineering requirements quality assistant on-premises
- version/ibm engineering requirements quality assistant on-premises/all