CVE-2011-1483
JBoss Communications Platform - Denial of Service via XML Entity Expansion
Title source: llmDescription
wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise Application Platform 4.2.0.CP09, 4.3, and 5.1.1; JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.1; JBoss Enterprise SOA Platform 4.2.CP05, 4.3.CP05, and 5.1.0; JBoss Communications Platform 1.2.11 and 5.1.1; JBoss Enterprise BRMS Platform 5.1.0; and JBoss Enterprise Web Platform 5.1.1 does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.
References (3)
Core 3
Core References
Patch x_refsource_confirm
http://source.jboss.org/changelog/JBossWS/?cs=13996
Various Sources vendor-advisory
x_refsource_hp
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03824583
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=692584
Scores
EPSS
0.0374
EPSS Percentile
88.2%
Details
Status
published
Products (18)
hp/network_node_manager_i
9.0
hp/network_node_manager_i
9.01
hp/network_node_manager_i
9.02
hp/network_node_manager_i
9.03
hp/network_node_manager_i
9.10
org.jboss.ws/jbossws-common
0 - 2.1.0.FinalMaven
redhat/jboss_communications_platform
1.2.11
redhat/jboss_communications_platform
5.1.1
redhat/jboss_enterprise_application_platform
4.2.0 cp09
redhat/jboss_enterprise_application_platform
4.3.0
... and 8 more
Published
Jul 29, 2013
Tracked Since
Feb 18, 2026