Bug 1225252 (CVE-2015-3208) - CVE-2015-3208 hornetq: XXE/SSRF in XPath selector
Summary: CVE-2015-3208 hornetq: XXE/SSRF in XPath selector
Alias: CVE-2015-3208
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1478549 1478550 1478551 1545359
Blocks: 1225253
TreeView+ depends on / blocked
Reported: 2015-05-27 00:40 UTC by Fabio Olive Leite
Modified: 2021-02-17 05:15 UTC (History)
47 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-06-16 04:50:53 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2927 0 None None None 2018-10-16 15:19:15 UTC

Description Fabio Olive Leite 2015-05-27 00:40:56 UTC
An XXE vulnerability was reported in the XPath component of HornetQ,
which is present in various middleware products.

Comment 2 Fabio Olive Leite 2015-05-27 02:58:03 UTC

Red Hat would like to thank David Jorm of IIX Product Security for reporting this issue.

Comment 5 Kurt Seifried 2015-07-24 04:27:03 UTC
This issue appears to have been fixed in the following commit:


Comment 6 Clebert Suconic 2017-08-01 20:36:22 UTC
There is no release prior to that commit. Why is this being considered a CVE?

Comment 7 Clebert Suconic 2017-08-01 20:42:20 UTC
There has never been a release of Artemis before that commit. is there any way to challenge the CVE?

Comment 8 Fabio Olive Leite 2017-08-03 20:27:21 UTC
Hi Clebert, I have asked two Product Security engineers to review this flaw and update the metadata if it is indeed incorrect.

Comment 9 Clebert Suconic 2017-08-03 20:48:03 UTC
In HornetQ.. maybe.. but never in Artemis.

I'm not sure this was an issue with hornetq.. as maybe it wasn't released.

Comment 10 Jason Shepherd 2017-08-03 23:08:05 UTC
Kurt, I don't think that that SAM, or Sat 6 could be affected here. The affected code never made it into an release AFAIK. Can you verifying and update the whiteboard on this?

Comment 11 Kurt Seifried 2017-08-04 18:59:06 UTC
Created hornetq tracking bugs for this issue:

Affects: fedora-all [bug 1478551]

Comment 13 errata-xmlrpc 2018-10-16 15:18:59 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927

Comment 14 ecottom 2021-01-15 15:27:50 UTC
(In reply to Clebert Suconic from comment #7)
> There has never been a release of Artemis before that commit. is there any
> way to challenge the CVE?


CNA Processes
English: https://cve.mitre.org/cve/cna/CNA_Processes.pptx | https://youtu.be/yLqUMKD2Y9k
Japanese: https://cve.mitre.org/cve/cna/CNA_Processes_ja.pptx

Note You need to log in before you can comment on or make changes to this bug.