Vulnerability-Lookup

CNVD-2021-100232

Vulnerability from cnvd - Published: 2021-12-15

Title

Apache Any23代码注入漏洞

Description

Anything To Triples（any23）是美国阿帕奇（Apache）基金会的一个应用软件。一个库、一个 Web 服务和一个命令行工具，可从各种 Web 文档中提取 RDF 格式的结构化数据。 Apache Any23 存在代码注入漏洞，该漏洞源于Any23 StreamUtils.java文件中发现了一个 XML 外部实体 (XXE) 注入漏洞。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

Apache Any23代码注入漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-38555

Impacted products

Name
Apache any23 <2.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-38555"
    }
  },
  "description": "Anything To Triples\uff08any23\uff09\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u4e00\u4e2a\u5e93\u3001\u4e00\u4e2a Web \u670d\u52a1\u548c\u4e00\u4e2a\u547d\u4ee4\u884c\u5de5\u5177\uff0c\u53ef\u4ece\u5404\u79cd Web \u6587\u6863\u4e2d\u63d0\u53d6 RDF \u683c\u5f0f\u7684\u7ed3\u6784\u5316\u6570\u636e\u3002\n\nApache Any23 \u5b58\u5728\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eAny23 StreamUtils.java\u6587\u4ef6\u4e2d\u53d1\u73b0\u4e86\u4e00\u4e2a XML \u5916\u90e8\u5b9e\u4f53 (XXE) \u6ce8\u5165\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-100232",
  "openTime": "2021-12-15",
  "patchDescription": "Anything To Triples\uff08any23\uff09\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u4e00\u4e2a\u5e93\u3001\u4e00\u4e2a Web \u670d\u52a1\u548c\u4e00\u4e2a\u547d\u4ee4\u884c\u5de5\u5177\uff0c\u53ef\u4ece\u5404\u79cd Web \u6587\u6863\u4e2d\u63d0\u53d6 RDF \u683c\u5f0f\u7684\u7ed3\u6784\u5316\u6570\u636e\u3002\r\n\r\nApache Any23 \u5b58\u5728\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eAny23 StreamUtils.java\u6587\u4ef6\u4e2d\u53d1\u73b0\u4e86\u4e00\u4e2a XML \u5916\u90e8\u5b9e\u4f53 (XXE) \u6ce8\u5165\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Any23\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache any23 \u003c2.5"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-38555",
  "serverity": "\u4e2d",
  "submitTime": "2021-09-14",
  "title": "Apache Any23\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2021-38555 (GCVE-0-2021-38555)

Vulnerability from cvelistv5 – Published: 2021-09-11 11:05 – Updated: 2024-08-04 01:44

Title

An XML external entity (XXE) injection vulnerability exists in Apache Any23 StreamUtils.java

Summary

An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

Severity ?

No CVSS data available.

CWE

XML external entity (XXE) injection vulnerability

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread.html/r589d1a9f94d…

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Any23	Affected: Apache Any23 , < 2.5 (custom)

Credits

The Apache Any23 Project Management Committee would like to thank Zhuxuan Wu for reporting the security vulnerability.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:44:23.463Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Any23",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.5",
              "status": "affected",
              "version": "Apache Any23",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The Apache Any23 Project Management Committee would like to thank Zhuxuan Wu for reporting the security vulnerability."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions \u003c 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application\u0027s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "critical"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "XML external entity (XXE) injection vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-11T11:06:16",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "An XML external entity (XXE) injection vulnerability exists in Apache Any23 StreamUtils.java",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-38555",
          "STATE": "PUBLIC",
          "TITLE": "An XML external entity (XXE) injection vulnerability exists in Apache Any23 StreamUtils.java"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Any23",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache Any23",
                            "version_value": "2.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "The Apache Any23 Project Management Committee would like to thank Zhuxuan Wu for reporting the security vulnerability."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions \u003c 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application\u0027s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "critical"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "XML external entity (XXE) injection vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-38555",
    "datePublished": "2021-09-11T11:05:11",
    "dateReserved": "2021-08-11T00:00:00",
    "dateUpdated": "2024-08-04T01:44:23.463Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-100232

CVE-2021-38555 (GCVE-0-2021-38555)

Tags

Sightings

Nomenclature