- Added submission from Apache Synapse from 2017-12-10.

2025-08-04 08:44:25 +00:00 · 2017-12-11 09:06:55 -05:00 · 2017-12-11 09:06:55 -05:00 · 67a2efa49d
commit 67a2efa49d
parent 61d1681664
1 changed files with 61 additions and 3 deletions
--- a/2017/15xxx/CVE-2017-15708.json
+++ b/2017/15xxx/CVE-2017-15708.json
@ -1,8 +1,47 @@
 {
   "CVE_data_meta" : {
-      "ASSIGNER" : "cve@mitre.org",
+      "ASSIGNER" : "security@apache.org",
+      "DATE_PUBLIC" : "2017-12-10T00:00:00",
      "ID" : "CVE-2017-15708",
-      "STATE" : "RESERVED"
+      "STATE" : "PUBLIC"
+   },
+   "affects" : {
+      "vendor" : {
+         "vendor_data" : [
+            {
+               "product" : {
+                  "product_data" : [
+                     {
+                        "product_name" : "Synapse",
+                        "version" : {
+                           "version_data" : [
+                              {
+                                 "version_value" : "3.0.0"
+                              },
+                              {
+                                 "version_value" : "2.1.0"
+                              },
+                              {
+                                 "version_value" : "2.0.0"
+                              },
+                              {
+                                 "version_value" : "1.2"
+                              },
+                              {
+                                 "version_value" : "1.1.2"
+                              },
+                              {
+                                 "version_value" : "1.1.1"
+                              }
+                           ]
+                        }
+                     }
+                  ]
+               },
+               "vendor_name" : "Apache Software Foundation"
+            }
+         ]
+      }
   },
   "data_format" : "MITRE",
   "data_type" : "CVE",
@ -11,7 +50,26 @@
      "description_data" : [
         {
            "lang" : "eng",
-            "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+            "value" : "Due to the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions, Apache Synapse 3.0.0 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. To mitigate the issue upgrading to 3.0.1 version is required. In Synapse 3.0.1 version, Commons Collection has been updated to 3.2.2 version which contains the fix for the above mentioned vulnerability."
+         }
+      ]
+   },
+   "problemtype" : {
+      "problemtype_data" : [
+         {
+            "description" : [
+               {
+                  "lang" : "eng",
+                  "value" : "Remote Code Execution Vulnerability"
+               }
+            ]
+         }
+      ]
+   },
+   "references" : {
+      "reference_data" : [
+         {
+            "url" : "https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E"
         }
      ]
   }