6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-15691

GHSA ID

GHSA-wp2f-hrg2-3r5m

EPSS Score

0.71952%

CWE

CWE-611

Published

5/14/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-15691

CVE-2017-15691: Improper Restriction of XML External Entity Reference in Apache uimaj

In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content.

(GitHub Advisory)

6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-15691

GHSA ID

GHSA-wp2f-hrg2-3r5m

EPSS Score

0.71952%

CWE

CWE-611

Published

5/14/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.uima:uimafit-core	maven	< 2.4.0	2.4.0
org.apache.uima:uimaj-core	maven	< 2.10.2	2.10.2
org.apache.uima:uimaj-core	maven	>= 3.0.0-alpha, <= 3.0.0-alpha02	3.0.0-beta
org.apache.uima:uimaj-as-core	maven	< 2.10.2	2.10.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from XML parsers in UIMA components not properly restricting external entity expansion. While no direct patch diffs are provided, the CVE description and security reports indicate the issue exists in multiple XML processing points across UIMA's configuration handling. Standard XXE mitigation in Java XML parsers involves:

Disabling DTD processing
Enabling FEATURE_SECURE_PROCESSING
Preventing external entity expansion

Key XML parsing entry points would be in configuration handlers for analysis engines, type systems, and component descriptors. The identified functions represent core XML processing locations that would need security configuration changes (as evidenced by the patched versions' release notes). Confidence is medium due to reliance on vulnerability patterns rather than direct patch analysis, but aligns with:

The CWE-611 classification
UIMA's XML-heavy configuration system
Standard Java XXE mitigation patterns
The distributed nature of fixes across multiple components (uimaj-core, uimafit, etc.)

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** uim*j prior to *.**.*, *p**** uim*j *.*.*-xxx prior to *.*.*-**t*, *p**** uim*-*s prior to *.**.*, *p**** uim**IT prior to *.*.*, *p**** uim**U** prior to *.*.*, t*is vuln*r**ility r*l*t*s to *n XML *xt*rn*l *ntity *xp*nsion (XX*) **p**ilit

Reasoning

T** vuln*r**ility st*ms *rom XML p*rs*rs in UIM* *ompon*nts not prop*rly r*stri*tin* *xt*rn*l *ntity *xp*nsion. W*il* no *ir**t p*t** *i**s *r* provi***, t** *V* **s*ription *n* s**urity r*ports in*i**t* t** issu* *xists in multipl* XML pro**ssin* po

6.5

Basic Information

Concerned about an active attack path?

CVE-2017-15691: Improper Restriction of XML External Entity Reference in Apache uimaj

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI