CVE-2015-0851 - Vulnerability Details - OpenCVE

XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Xmltooling Project	Xmltooling

Configuration 1 [-]

cpe:2.3:a:xmltooling_project:xmltooling:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://shibboleth.net/community/advisories/secadv_20150721.txt
http://www.debian.org/security/2015/dsa-3321
http://www.securityfocus.com/bid/76134
https://git.shibboleth.net/view/?p=cpp-xmltooling.git%3Ba=commitdiff%3Bh=2d795c731e6729309044607154978696a87fd900
https://nvd.nist.gov/vuln/detail/CVE-2015-0851
https://www.cve.org/CVERecord?id=CVE-2015-0851

History

No history.

MITRE

Status: PUBLISHED

Assigner: debian

Published: 2015-08-12T14:00:00

Updated: 2024-08-06T04:26:11.077Z

Reserved: 2015-01-07T00:00:00

Link: CVE-2015-0851

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-08-12T14:59:01.793

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-0851

Redhat

Severity : Moderate

Publid Date: 2015-07-21T00:00:00Z

Links: CVE-2015-0851 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-07-21T00:00:00", "descriptions": [{"lang": "en", "value": "XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://shibboleth.net/community/advisories/secadv_20150721.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://git.shibboleth.net/view/?p=cpp-xmltooling.git%3Ba=commitdiff%3Bh=2d795c731e6729309044607154978696a87fd900"}, {"name": "76134", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/76134"}, {"name": "DSA-3321", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3321"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2015-0851", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://shibboleth.net/community/advisories/secadv_20150721.txt", "refsource": "CONFIRM", "url": "http://shibboleth.net/community/advisories/secadv_20150721.txt"}, {"name": "https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900", "refsource": "CONFIRM", "url": "https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900"}, {"name": "76134", "refsource": "BID", "url": "http://www.securityfocus.com/bid/76134"}, {"name": "DSA-3321", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3321"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T04:26:11.077Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://shibboleth.net/community/advisories/secadv_20150721.txt"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://git.shibboleth.net/view/?p=cpp-xmltooling.git%3Ba=commitdiff%3Bh=2d795c731e6729309044607154978696a87fd900"}, {"name": "76134", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/76134"}, {"name": "DSA-3321", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3321"}]}]}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2015-0851", "datePublished": "2015-08-12T14:00:00", "dateReserved": "2015-01-07T00:00:00", "dateUpdated": "2024-08-06T04:26:11.077Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xmltooling_project:xmltooling:*:*:*:*:*:*:*:*", "matchCriteriaId": "7186385A-8E6B-466A-A0DF-AFCB1A3D73FF", "versionEndIncluding": "1.5.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data."}, {"lang": "es", "value": "Vulnerabilidad en XMLTooling-C en versi\u00f3n anterior a 1.5.5, tal como se utiliza en OpenSAML-C y Shibboleth Service Provider (SP), no maneja correctamente las excepciones de conversi\u00f3n de entero, lo que permite a atacantes remotos provocar una denegaci\u00f3n de servicio (ca\u00edda) a trav\u00e9s de datos XML de esquema no v\u00e1lido."}], "id": "CVE-2015-0851", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-08-12T14:59:01.793", "references": [{"source": "security@debian.org", "tags": ["Vendor Advisory"], "url": "http://shibboleth.net/community/advisories/secadv_20150721.txt"}, {"source": "security@debian.org", "url": "http://www.debian.org/security/2015/dsa-3321"}, {"source": "security@debian.org", "url": "http://www.securityfocus.com/bid/76134"}, {"source": "security@debian.org", "url": "https://git.shibboleth.net/view/?p=cpp-xmltooling.git%3Ba=commitdiff%3Bh=2d795c731e6729309044607154978696a87fd900"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://shibboleth.net/community/advisories/secadv_20150721.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2015/dsa-3321"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/76134"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.shibboleth.net/view/?p=cpp-xmltooling.git%3Ba=commitdiff%3Bh=2d795c731e6729309044607154978696a87fd900"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-189"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "xmltooling: incorrect processing of well-formed but invalid XML", "id": "1248504", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1248504"}, "csaw": false, "cvss": {"cvss_base_score": "5.0", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "draft"}, "cwe": "CWE-20", "details": ["XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data."], "name": "CVE-2015-0851", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform", "fix_state": "Affected", "package_name": "xmltooling", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Affected", "package_name": "xmltooling", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Affected", "package_name": "xmltooling", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Affected", "package_name": "xmltooling", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Affected", "package_name": "xmltooling", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-6.0", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-esb-7.1", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-others", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Affected", "package_name": "xmltooling", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Affected", "package_name": "xmltooling", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6", "fix_state": "Affected", "package_name": "xmltooling", "product_name": "Red Hat JBoss Portal 6"}], "public_date": "2015-07-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-0851\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-0851"], "threat_severity": "Moderate"}