CVE-2014-1626 - Vulnerability Details - OpenCVE

XML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read arbitrary files via a crafted XML file.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Galen Charlton	Marc-xml

Configuration 1 [-]

OR	cpe:2.3:a:galen_charlton:marc-xml::::::::
	cpe:2.3:a:galen_charlton:marc-xml:1.0:::::::*

No data.

References

Link	Providers
http://libmail.georgialibraries.org/pipermail/open-ils-general/2014-January/009442.html
http://lists.katipo.co.nz/pipermail/koha/2014-January/038430.html
http://osvdb.org/102367
http://secunia.com/advisories/55404
http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html
http://www.securityfocus.com/bid/65057
https://exchange.xforce.ibmcloud.com/vulnerabilities/90620
https://metacpan.org/source/GMCHARLT/MARC-XML-1.0.2/Changes

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-01-26T01:00:00

Updated: 2024-08-06T09:50:09.800Z

Reserved: 2014-01-21T00:00:00

Link: CVE-2014-1626

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-01-26T01:55:20.563

Modified: 2025-04-11T00:51:21.963

Link: CVE-2014-1626

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-21T00:00:00", "descriptions": [{"lang": "en", "value": "XML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read arbitrary files via a crafted XML file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "102367", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/102367"}, {"name": "marcfile-xml-info-disc(90620)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90620"}, {"name": "55404", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/55404"}, {"name": "65057", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/65057"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://metacpan.org/source/GMCHARLT/MARC-XML-1.0.2/Changes"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html"}, {"name": "[Koha] 20140122 SECURITY release: MARC::File::XML 1.0.2", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.katipo.co.nz/pipermail/koha/2014-January/038430.html"}, {"name": "[OPEN-ILS-GENERAL] 20140121 SECURITY release: MARC::File::XML 1.0.2", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://libmail.georgialibraries.org/pipermail/open-ils-general/2014-January/009442.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-1626", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read arbitrary files via a crafted XML file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "102367", "refsource": "OSVDB", "url": "http://osvdb.org/102367"}, {"name": "marcfile-xml-info-disc(90620)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90620"}, {"name": "55404", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/55404"}, {"name": "65057", "refsource": "BID", "url": "http://www.securityfocus.com/bid/65057"}, {"name": "https://metacpan.org/source/GMCHARLT/MARC-XML-1.0.2/Changes", "refsource": "CONFIRM", "url": "https://metacpan.org/source/GMCHARLT/MARC-XML-1.0.2/Changes"}, {"name": "http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html", "refsource": "CONFIRM", "url": "http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html"}, {"name": "[Koha] 20140122 SECURITY release: MARC::File::XML 1.0.2", "refsource": "MLIST", "url": "http://lists.katipo.co.nz/pipermail/koha/2014-January/038430.html"}, {"name": "[OPEN-ILS-GENERAL] 20140121 SECURITY release: MARC::File::XML 1.0.2", "refsource": "MLIST", "url": "http://libmail.georgialibraries.org/pipermail/open-ils-general/2014-January/009442.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:50:09.800Z"}, "title": "CVE Program Container", "references": [{"name": "102367", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/102367"}, {"name": "marcfile-xml-info-disc(90620)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90620"}, {"name": "55404", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/55404"}, {"name": "65057", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/65057"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://metacpan.org/source/GMCHARLT/MARC-XML-1.0.2/Changes"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html"}, {"name": "[Koha] 20140122 SECURITY release: MARC::File::XML 1.0.2", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.katipo.co.nz/pipermail/koha/2014-January/038430.html"}, {"name": "[OPEN-ILS-GENERAL] 20140121 SECURITY release: MARC::File::XML 1.0.2", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://libmail.georgialibraries.org/pipermail/open-ils-general/2014-January/009442.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-1626", "datePublished": "2014-01-26T01:00:00", "dateReserved": "2014-01-21T00:00:00", "dateUpdated": "2024-08-06T09:50:09.800Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:galen_charlton:marc-xml:*:*:*:*:*:*:*:*", "matchCriteriaId": "3AD7D4FA-81E1-4698-8172-77D594A06219", "versionEndIncluding": "1.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:galen_charlton:marc-xml:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6CD3CC3A-4475-4B25-8B64-8A273B186009", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read arbitrary files via a crafted XML file."}, {"lang": "es", "value": "Vulnerabilidad XML External Entity (XXE) en el m\u00f3dulo MARC::File::XML anteriores a 1.0.2 para Perl, utilizado en Evergreen, Koha, perl4lib, y posiblemente otros productos, permite a atacantes dependientes de contexto leer archivos de forma arbitraria a trav\u00e9s de un archivo XML manipulado."}], "id": "CVE-2014-1626", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-01-26T01:55:20.563", "references": [{"source": "cve@mitre.org", "url": "http://libmail.georgialibraries.org/pipermail/open-ils-general/2014-January/009442.html"}, {"source": "cve@mitre.org", "url": "http://lists.katipo.co.nz/pipermail/koha/2014-January/038430.html"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/102367"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/55404"}, {"source": "cve@mitre.org", "url": "http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/65057"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90620"}, {"source": "cve@mitre.org", "url": "https://metacpan.org/source/GMCHARLT/MARC-XML-1.0.2/Changes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://libmail.georgialibraries.org/pipermail/open-ils-general/2014-January/009442.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.katipo.co.nz/pipermail/koha/2014-January/038430.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/102367"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/55404"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/65057"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90620"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://metacpan.org/source/GMCHARLT/MARC-XML-1.0.2/Changes"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}