XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Derby | Apache | 10.1.1.0 (including) | 10.1.1.0 (including) |
| Derby | Apache | 10.1.2.1 (including) | 10.1.2.1 (including) |
| Derby | Apache | 10.1.3.1 (including) | 10.1.3.1 (including) |
| Derby | Apache | 10.2.1.6 (including) | 10.2.1.6 (including) |
| Derby | Apache | 10.2.2.0 (including) | 10.2.2.0 (including) |
| Derby | Apache | 10.3.3.0 (including) | 10.3.3.0 (including) |
| Derby | Apache | 10.4.1.3 (including) | 10.4.1.3 (including) |
| Derby | Apache | 10.4.2.0 (including) | 10.4.2.0 (including) |
| Derby | Apache | 10.5.1.1 (including) | 10.5.1.1 (including) |
| Derby | Apache | 10.5.3.0 (including) | 10.5.3.0 (including) |
| Derby | Apache | 10.6.1.0 (including) | 10.6.1.0 (including) |
| Derby | Apache | 10.6.2.1 (including) | 10.6.2.1 (including) |
| Derby | Apache | 10.7.1.1 (including) | 10.7.1.1 (including) |
| Derby | Apache | 10.8.1.2 (including) | 10.8.1.2 (including) |
| Derby | Apache | 10.8.2.2 (including) | 10.8.2.2 (including) |
| Derby | Apache | 10.8.3.0 (including) | 10.8.3.0 (including) |
| Derby | Apache | 10.9.1.0 (including) | 10.9.1.0 (including) |
| Derby | Apache | 10.10.1.1 (including) | 10.10.1.1 (including) |
| Derby | Apache | 10.10.2.0 (including) | 10.10.2.0 (including) |
| Derby | Apache | 10.11.1.1 (including) | 10.11.1.1 (including) |
| Derby | Ubuntu | artful | * |
| Derby | Ubuntu | esm-apps/xenial | * |
| Derby | Ubuntu | trusty | * |
| Derby | Ubuntu | upstream | * |
| Derby | Ubuntu | xenial | * |
| Derby | Ubuntu | yakkety | * |
| Derby | Ubuntu | zesty | * |