Headline
CVE-2018-8035: Apache UIMA - Security Reports
This vulnerability relates to the user’s browser processing of DUCC webpage input data.The javascript comprising Apache UIMA DUCC (<= 2.2.2) which runs in the user’s browser does not sufficiently filter user supplied inputs, which may result in unintended execution of user supplied javascript code.
** Security Update List by CVEs**
Here are the known Security Vulnerabilities for Apache UIMA, listed by CVE number.
CVE-2018-8035: Apache UIMA DUCC webserver cross-site scripting (XSS) vulnerability due to unintended execution of user supplied javascript code.
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache UIMA DUCC releases including and prior to 2.2.2
Description. The details of this vulnerability were reported to the Apache UIMA Private mailing list.
This vulnerability relates to the user’s browser processing of DUCC web page input data.
The javascript comprising Apache UIMA DUCC which runs in the user’s browser does not sufficiently filter user supplied inputs, which may result in unintended execution of user supplied javascript code.
Mitigation: Users are advised to upgrade these UIMA components to the following levels:
- Apache UIMA DUCC: upgrade to 3.0.0 or later
Credit: Marshall Schor
CVE-2017-15691: Apache UIMA XML external entity expansion (XXE) attack exposure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- uimaj 2.x.x releases prior to 2.10.2
- uimaj 3.0.0 releases prior to 3.0.0-beta
- uima-as releases prior to 2.10.2
- uimaFIT releases prior to 2.4.0
- uimaDUCC releases prior to 2.2.2
Description. The details of this vulnerability were reported to the Apache UIMA Private mailing list.
This vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more details.
UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.
Mitigation: Users are advised to upgrade these UIMA components to the following levels or later:
- uimaj: 2.x.x upgrade to 2.10.2 or later
- uimaj: 3.x.x upgrade to 3.0.0 or later
- uima-as: upgrade to 2.10.2 or later
- uimaFIT: upgrade to 2.4.0 or later
- uimaDUCC: upgrade to 2.2.2 or later
Credit: Joern Kottmann
** Reporting New Security Problems with Apache UIMA**
We strongly encourage people to report new security problems to the private security mailing list of the ASF Security Team, before disclosing them in a public forum.
Please see the page of the AFS Security Team for further information and contact information.
The Security Team cannot accept regular bug reports or other queries; please use the regular UIMA mailing lists for those.
** Security Standards**
Apache UIMA vulnerabilities are labeled with CVE (Common Vulnerabilities and Exposures) identifiers.
Home
Privacy Policy
Copyright © 2006-2013, The Apache Software Foundation.
Apache UIMA, UIMA, the Apache UIMA logo and the Apache Feather logo are trademarks of The Apache Software Foundation.
All other marks mentioned may be trademarks or registered trademarks of their respective owners.
Contact us