6.5

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-15691

CVE-2017-15691: Improper Restriction of XML External Entity Reference in Apache uimaj

In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2017-15691

CVE-2017-15691:

6.5

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.uima:uimafit-core	maven	< 2.4.0	2.4.0
org.apache.uima:uimaj-core	maven	< 2.10.2	2.10.2
org.apache.uima:uimaj-core	maven	>= 3.0.0-alpha, <= 3.0.0-alpha02	3.0.0-beta
org.apache.uima:uimaj-as-core	maven	< 2.10.2	2.10.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from XML parsers in UIMA components not properly restricting external entity expansion. While no direct patch diffs are provided, the CVE description and security reports indicate the issue exists in multiple XML processing points across UIMA's configuration handling. Standard XXE mitigation in Java XML parsers involves:

Disabling DTD processing
Enabling FEATURE_SECURE_PROCESSING
Preventing external entity expansion

Key XML parsing entry points would be in configuration handlers for analysis engines, type systems, and component descriptors. The identified functions represent core XML processing locations that would need security configuration changes (as evidenced by the patched versions' release notes). Confidence is medium due to reliance on vulnerability patterns rather than direct patch analysis, but aligns with:

The CWE-611 classification
UIMA's XML-heavy configuration system
Standard Java XXE mitigation patterns
The distributed nature of fixes across multiple components (uimaj-core, uimafit, etc.)

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2017-15691: Improper Restriction of XML External Entity Reference in Apache uimaj

CVE-2017-15691:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.5

6.5

CVE-2017-15691: Improper Restriction of XML External Entity Reference in Apache uimaj

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI