Vulnerability-Lookup

CNVD-2018-19600

Vulnerability from cnvd - Published: 2018-09-21

Title

JetBrains IntelliJ IDEA XML parser XML外部实体注入漏洞

Description

JetBrains IntelliJ IDEA是捷克共和国JetBrains公司的一套适用于Java语言的集成开发环境。XML parser是其中的一个XML解析器。 JetBrains IntelliJ IDEA中的XML parser存在XML外部实体注入漏洞，攻击者可借助恶意的‘AndroidManifest.xml’文件利用该漏洞检索用户电脑上的任意文件。

Severity

中

Patch Name

JetBrains IntelliJ IDEA XML parser XML外部实体注入漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.jetbrains.com/

Reference

http://git.jetbrains.org/?p=idea/adt-tools-base.git;a=commit;h=a778b2b88515513654e002cd51cbe8eb8226e96b https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/ https://youtrack.jetbrains.com/issue/IDEA-175381

Impacted products

Name
JetBrains IntelliJ IDEA

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-8316"
    }
  },
  "description": "JetBrains IntelliJ IDEA\u662f\u6377\u514b\u5171\u548c\u56fdJetBrains\u516c\u53f8\u7684\u4e00\u5957\u9002\u7528\u4e8eJava\u8bed\u8a00\u7684\u96c6\u6210\u5f00\u53d1\u73af\u5883\u3002XML parser\u662f\u5176\u4e2d\u7684\u4e00\u4e2aXML\u89e3\u6790\u5668\u3002\r\n\r\nJetBrains IntelliJ IDEA\u4e2d\u7684XML parser\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u501f\u52a9\u6076\u610f\u7684\u2018AndroidManifest.xml\u2019\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u68c0\u7d22\u7528\u6237\u7535\u8111\u4e0a\u7684\u4efb\u610f\u6587\u4ef6\u3002",
  "discovererName": "Dmitry Avdeev",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.jetbrains.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-19600",
  "openTime": "2018-09-21",
  "patchDescription": "JetBrains IntelliJ IDEA\u662f\u6377\u514b\u5171\u548c\u56fdJetBrains\u516c\u53f8\u7684\u4e00\u5957\u9002\u7528\u4e8eJava\u8bed\u8a00\u7684\u96c6\u6210\u5f00\u53d1\u73af\u5883\u3002XML parser\u662f\u5176\u4e2d\u7684\u4e00\u4e2aXML\u89e3\u6790\u5668\u3002\r\n\r\nJetBrains IntelliJ IDEA\u4e2d\u7684XML parser\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u501f\u52a9\u6076\u610f\u7684\u2018AndroidManifest.xml\u2019\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u68c0\u7d22\u7528\u6237\u7535\u8111\u4e0a\u7684\u4efb\u610f\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "JetBrains IntelliJ IDEA XML parser XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "JetBrains IntelliJ IDEA"
  },
  "referenceLink": "http://git.jetbrains.org/?p=idea/adt-tools-base.git;a=commit;h=a778b2b88515513654e002cd51cbe8eb8226e96b\r\nhttps://research.checkpoint.com/parsedroid-targeting-android-development-research-community/\r\nhttps://youtrack.jetbrains.com/issue/IDEA-175381",
  "serverity": "\u4e2d",
  "submitTime": "2018-08-07",
  "title": "JetBrains IntelliJ IDEA XML parser XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2017-8316 (GCVE-0-2017-8316)

Vulnerability from cvelistv5 – Published: 2018-08-03 15:00 – Updated: 2024-09-16 18:23

Summary

IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml.

Severity

No CVSS data available.

CWE

XEE in XML parser

Assigner

checkpoint

References

3 references

URL	Tags
http://git.jetbrains.org/?p=idea/adt-tools-base.g…	x_refsource_CONFIRM
https://youtrack.jetbrains.com/issue/IDEA-175381	x_refsource_MISC
https://research.checkpoint.com/parsedroid-target…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
JetBrains	IntelliJ IDEA	Affected: <173

Date Public

2017-08-08 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:34:22.327Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://git.jetbrains.org/?p=idea/adt-tools-base.git%3Ba=commit%3Bh=a778b2b88515513654e002cd51cbe8eb8226e96b"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://youtrack.jetbrains.com/issue/IDEA-175381"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "IntelliJ IDEA",
          "vendor": "JetBrains",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c173"
            }
          ]
        }
      ],
      "datePublic": "2017-08-08T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "XEE in XML parser",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-08-03T14:57:01.000Z",
        "orgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
        "shortName": "checkpoint"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://git.jetbrains.org/?p=idea/adt-tools-base.git%3Ba=commit%3Bh=a778b2b88515513654e002cd51cbe8eb8226e96b"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://youtrack.jetbrains.com/issue/IDEA-175381"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@checkpoint.com",
          "DATE_PUBLIC": "2017-08-08T00:00:00",
          "ID": "CVE-2017-8316",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "IntelliJ IDEA",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c173"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "JetBrains"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "XEE in XML parser"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://git.jetbrains.org/?p=idea/adt-tools-base.git;a=commit;h=a778b2b88515513654e002cd51cbe8eb8226e96b",
              "refsource": "CONFIRM",
              "url": "http://git.jetbrains.org/?p=idea/adt-tools-base.git;a=commit;h=a778b2b88515513654e002cd51cbe8eb8226e96b"
            },
            {
              "name": "https://youtrack.jetbrains.com/issue/IDEA-175381",
              "refsource": "MISC",
              "url": "https://youtrack.jetbrains.com/issue/IDEA-175381"
            },
            {
              "name": "https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/",
              "refsource": "MISC",
              "url": "https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
    "assignerShortName": "checkpoint",
    "cveId": "CVE-2017-8316",
    "datePublished": "2018-08-03T15:00:00.000Z",
    "dateReserved": "2017-04-28T00:00:00.000Z",
    "dateUpdated": "2024-09-16T18:23:33.553Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-19600

CVE-2017-8316 (GCVE-0-2017-8316)

Tags

Sightings

Nomenclature