CVE-2016-15011

e-Contract dssp SignResponseVerifier.java checkSignResponse xml external entity reference

Description

A vulnerability classified as problematic was found in e-Contract dssp up to 1.3.1. Affected by this vulnerability is the function checkSignResponse of the file dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java. The manipulation leads to xml external entity reference. Upgrading to version 1.3.2 is able to address this issue. The identifier of the patch is ec4238349691ec66dd30b416ec6eaab02d722302. It is recommended to upgrade the affected component. The identifier VDB-217549 was assigned to this vulnerability.

References

Link	Tags
https://vuldb.com/?id.217549	permissions required vdb entry third party advisory technical description
https://vuldb.com/?ctiid.217549	permissions required signature third party advisory
https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302	third party advisory patch
https://github.com/e-Contract/dssp/releases/tag/dssp-1.3.2	release notes third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2016-15011?: CVE-2016-15011 has been scored as a medium severity vulnerability.
How to fix CVE-2016-15011?: To fix CVE-2016-15011, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2016-15011 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2016-15011 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2016-15011?: CVE-2016-15011 affects e-Contract dssp.

Description

Category

CWE-611 – Improper Restriction of XML External Entity Reference

References

Frequently Asked Questions