CVE-2017-12621

critical

Apache

CVSS v3 Base Score

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.8%

Exploitation probability in 30 days

Top 27% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Confidentiality

High

Integrity

High

Availability

High

Published: September 28, 2017 (3151 days ago)

Last Modified: May 13, 2026

Vendor: Apache

Source: NVD

Description

During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.

CWE

CWE-611

Affected Products

apache commons jelly

References

🔗 www.securityfocus.com 🔗 www.securitytracker.com 🔗 issues.apache.org 🔗 lists.apache.org 🔗 www.securityfocus.com

CVE-2017-12621

Vulnerability Report

Description

CWE

Affected Products

References