Bug 13870

Summary: [CVE 21] java-xmlbuilder 1.1 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED WONTFIX QA Contact: ROSA Linux Bugs <bugs>
Severity: blocker    
Priority: Highest CC: e.kosachev, s.matveev, v.potapov, y.tumanov
Version: AllFlags: y.tumanov: secteam_verified?
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2014-125087,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-10-18 20:27:01 MSK 
Please patch CVEs for package java-xmlbuilder version 1.1
  
INFO (CVEs are): java-xmlbuilder 1.1
 cves found
CVE-2014-125087
Desc: A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch is e6fddca201790abab4f2c274341c0bb8835c3e73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221480.
Link: https://nvd.nist.gov/vuln/detail/CVE-2014-125087
Severity: CRITICAL
Comment 1 Vladimir Potapov 2023-10-20 17:02:13 MSK 
*** Bug 13738 has been marked as a duplicate of this bug. ***
Comment 2 Svyatoslav Matveev 2023-12-12 01:44:41 MSK 
Входит в java-стек, который пока обновляться не будет