[GHSA-5m48-vr54-vmh3] jersey: XXE via parameter entities not disabled by the...#5735
Conversation
There was a problem hiding this comment.
Pull Request Overview
This pull request updates the advisory for GHSA-5m48-vr54-vmh3 by revising key metadata and expanding the context for the XXE vulnerability in jersey-core.
- Updates the "modified" timestamp and revises the CVSS severity score.
- Adds a "summary" field and enriches the "affected" package details with version ranges.
- Incorporates additional reference links for further context.
Comments suppressed due to low confidence (1)
advisories/unreviewed/2022/05/GHSA-5m48-vr54-vmh3/GHSA-5m48-vr54-vmh3.json:18
- Ensure that the newly added 'affected' block with the package and version range accurately captures all impacted versions; if additional version details are known, update the range accordingly.
{
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" |
There was a problem hiding this comment.
Double-check that the updated CVSS score (shifting from PR:N and I:N to PR:L and I:H) accurately reflects the intended vulnerability impact per the advisory and reference details.
| "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" | |
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N" |
github-actions
Bot
changed the base branch from
main
to
joshbressers/advisory-improvement-5735
advisory-database
Bot
merged commit 8e7e70c
into
joshbressers/advisory-improvement-5735
|
Hi @joshbressers! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
I based CVSS score on existing XXE examples I found
This one isn't super obvious, but I think I figured it out
Because it's an older version, here's the Maven entry for this
https://central.sonatype.com/artifact/com.sun.jersey/jersey-core
The CVE has no usable details. But the Red Hat bug specifies it's fixed in 1.13 (without any supporting evidence)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3643
This version is also noted on this site
https://www.sourceclear.com/vulnerability-database/security/xml-external-entity-xxe/java/sid-22175
That site links to this patch
javaee/jersey-1.x@49f1e5a
Which is in version 1.13, and is the only XXE patch I could find in that source tree in the neighborhood of 2014 (the patch is from 2012 as is version 1.13)