{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-09T04:50:49.967","vulnerabilities":[{"cve":{"id":"CVE-2017-12621","sourceIdentifier":"security@apache.org","published":"2017-09-28T01:29:01.293","lastModified":"2026-05-13T00:24:29.033","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a \"SYSTEM\" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1."},{"lang":"es","value":"Durante el análisis sintáctico de archivos Jelly (xml) con Apache Xerces, si se declara una entidad de tipo de archivo personalizado con una entidad \"SYSTEM\" con una URL y esa entidad se emplea en el cuerpo del archivo Jelly, el analizador sintáctico intentará conectarse a dicha URL durante la creación de la instancia del análisis. Esto podría permitir ataques XEE (XML External Entity) en Apache Commons Jelly en versiones anteriores a la 1.0.1."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-611"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:commons_jelly:*:*:*:*:*:*:*:*","versionEndExcluding":"1.0.1","matchCriteriaId":"41EE6AE8-F18D-4CDD-BA96-4BA1ED170622"}]}]}],"references":[{"url":"http://www.securityfocus.com/bid/101052","source":"security@apache.org","tags":["Third Party Advisory","VDB Entry"]},{"url":"http://www.securitytracker.com/id/1039444","source":"security@apache.org","tags":["Third Party Advisory","VDB Entry"]},{"url":"https://issues.apache.org/jira/browse/JELLY-293","source":"security@apache.org","tags":["Issue Tracking","Patch","Vendor Advisory"]},{"url":"https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73%40%3Cdev.commons.apache.org%3E","source":"security@apache.org"},{"url":"http://www.securityfocus.com/bid/101052","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","VDB Entry"]},{"url":"http://www.securitytracker.com/id/1039444","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","VDB Entry"]},{"url":"https://issues.apache.org/jira/browse/JELLY-293","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Patch","Vendor Advisory"]},{"url":"https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73%40%3Cdev.commons.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}