Vulnerability Details : CVE-2012-0037
Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x before 3.5.1, and other products, allows user-assisted remote attackers to read arbitrary files via a crafted XML external entity (XXE) declaration and reference in an RDF document.
Vulnerability category: XML external entity (XXE) injection
Exploit prediction scoring system (EPSS) score for CVE-2012-0037
Probability of exploitation activity in the next 30 days: 0.44%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 74 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2012-0037
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2012-0037
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-0037
-
http://rhn.redhat.com/errata/RHSA-2012-0410.html
RHSA-2012:0410 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://secunia.com/advisories/48479
Sign inBroken Link;Vendor Advisory
-
http://blog.documentfoundation.org/2012/03/22/tdf-announces-libreoffice-3-4-6/
TDF announces LibreOffice 3.4.6 - The Document Foundation BlogRelease Notes
-
http://www.openwall.com/lists/oss-security/2012/03/27/4
oss-security - Fwd: CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)Exploit;Mailing List
-
http://www.mandriva.com/security/advisories?name=MDVSA-2012:063
mandriva.comBroken Link
-
http://www.libreoffice.org/advisories/CVE-2012-0037/
CVE-2012-0037 | LibreOffice - Free Office Suite - Fun Project - Fantastic PeopleVendor Advisory
-
http://security.gentoo.org/glsa/glsa-201209-05.xml
LibreOffice: Multiple vulnerabilities (GLSA 201209-05) — Gentoo securityThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2012-0411.html
RHSA-2012:0411 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://secunia.com/advisories/48494
Sign inBroken Link
-
http://vsecurity.com/resources/advisory/20120324-1/
VSR | 404 Not FoundBroken Link
-
http://secunia.com/advisories/48526
Sign inBroken Link;Vendor Advisory
-
http://secunia.com/advisories/50692
Sign inBroken Link
-
http://secunia.com/advisories/48529
Sign inBroken Link;Vendor Advisory
-
http://www.securitytracker.com/id?1026837
OpenOffice.org XML External Entity Processing Lets Remote Users Obtain Potentially Sensitive Information - SecurityTrackerBroken Link;Third Party Advisory;VDB Entry
-
http://secunia.com/advisories/48493
Sign inBroken Link;Vendor Advisory
-
http://www.openoffice.org/security/cves/CVE-2012-0037.html
CVE-2012-0037Mitigation;Patch
-
http://www.mandriva.com/security/advisories?name=MDVSA-2012:061
mandriva.comBroken Link
-
http://secunia.com/advisories/60799
Sign inBroken Link
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077708.html
[SECURITY] Fedora 17 Update: raptor2-2.0.7-1.fc17Mailing List
-
https://lists.apache.org/thread.html/re0504f08000df786e51795940501e81a5d0ae981ecca68141e87ece0%40%3Ccommits.openoffice.apache.org%3E
svn commit: r1874832 - in /openoffice/ooo-site/trunk/content: download/checksums.html download/globalvars.js download/test/globalvars.js security/cves/CVE-2012-0037.html security/cves/CVE-2013-1571.htMailing List;Patch
-
http://secunia.com/advisories/48649
Sign inBroken Link
-
http://www.securityfocus.com/bid/52681
Raptor XML External Entity Information Disclosure VulnerabilityBroken Link;Third Party Advisory;VDB Entry
-
http://librdf.org/raptor/RELEASE.html#rel2_0_7
Raptor RDF Syntax Library - Release NotesRelease Notes
-
https://github.com/dajobe/raptor/commit/a676f235309a59d4aa78eeffd2574ae5d341fcb0
CVE-2012-0037 · dajobe/raptor@a676f23 · GitHubPatch
-
http://www.osvdb.org/80307
404 Not FoundBroken Link
-
http://www.debian.org/security/2012/dsa-2438
Debian -- Security Information -- DSA-2438-1 raptorThird Party Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2012:062
mandriva.comBroken Link
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/74235
OpenOffice.org XML information disclosure CVE-2012-0037 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://secunia.com/advisories/48542
Sign inBroken Link;Vendor Advisory
-
http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
OpenOffice, LibreOffice: Multiple vulnerabilities (GLSA 201408-19) — Gentoo securityThird Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078242.html
[SECURITY] Fedora 16 Update: raptor2-2.0.7-1.fc16Mailing List
Products affected by CVE-2012-0037
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:6.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:storage:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:storage_for_public_cloud:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:gluster_storage_server_for_on-premise:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openoffice:3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:openoffice:3.4.0:beta:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:16:*:*:*:*:*:*:*
- cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*
- cpe:2.3:a:libreoffice:libreoffice:3.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:librdf:raptor:*:*:*:*:*:*:*:*