Apache UIMA before version 2.10.2 has an XML external entity expansion vulnerability. A remote attacker could exploit this to potentially execute arbitrary code.
Created uimaj tracking bugs for this issue:
Affects: fedora-all [bug 1572464]
This issue affects the versions of lucene (which contains an embedded copy of uima) as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not include lucene and are not vulnerable to this issue.
This issue has been addressed in the following products:
Red Hat Fuse 7.3.1
Via RHSA-2019:1545 https://access.redhat.com/errata/RHSA-2019:1545
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):