製品・ソフトウェアに関する情報

JVN脆弱性詳細

WebKit などで利用される xslt.c における任意のファイルを作成される脆弱性

Title	WebKit などで利用される xslt.c における任意のファイルを作成される脆弱性
Summary	WebKit などで利用される XML Security Library の xslt.c には、XSLT が有効な際、任意のファイルを作成される、または上書きされる脆弱性が存在します。
Possible impacts	第三者により、任意のファイルを作成される、または上書きされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 31, 2011, midnight
Registration Date	May 24, 2011, 10:03 a.m.
Last Update	May 24, 2011, 10:03 a.m.

CVSS2.0 : 警告
Score	5.1
Vector	AV:N/AC:H/Au:N/C:P/I:P/A:P

Affected System

レッドハット

Red Hat Enterprise Linux 4 (as)

Red Hat Enterprise Linux 4 (es)

Red Hat Enterprise Linux 4 (ws)

Red Hat Enterprise Linux 4.8 (as)

Red Hat Enterprise Linux 4.8 (es)

Red Hat Enterprise Linux 5 (server)

Red Hat Enterprise Linux Desktop 4.0

Red Hat Enterprise Linux Desktop 5.0 (client)

Red Hat Enterprise Linux EUS 5.6.z (server)

Red Hat Enterprise Linux Long Life (v. 5.6 server)

RHEL Desktop Workstation 5 (client)

Aleksey

XML Security Library 1.2.17 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-1425	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1425
National Vulnerability Database (NVD)
2	CVE-2011-1425	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1425

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
Red Hat Security Advisory
1	RHSA-2011:0486	https://rhn.redhat.com/errata/RHSA-2011-0486.html
xmlsec
2	Download_The latest stable XML Security Library version is 1.2.18	http://www.aleksey.com/xmlsec/download.html
3	New xmlsec 1.2.17 release	http://www.aleksey.com/pipermail/xmlsec/2011/009120.html

その他

No	Name	URL
SecurityFocus
1	47135	http://www.securityfocus.com/bid/47135

Change Log

No	Changed Details	Date of change
0	[2011年05月24日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2011-1425

Summary	xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification.
Publication Date	April 4, 2011, 9:27 p.m.
Registration Date	Jan. 28, 2021, 4:38 p.m.
Last Update	Nov. 21, 2024, 10:26 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:aleksey:xml_security_library::::::::		1.2.16
cpe:2.3:a:aleksey:xml_security_library:0.0.3:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.10:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.2a:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.5:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.9:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.13:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.9:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.0.3:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.8:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.13:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.1.1:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.0.2:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.2:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.2:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.1.1:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.0.0:rc1::::::
cpe:2.3:a:aleksey:xml_security_library:1.2.14:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.12:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.10:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.0.1:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.1:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.7:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.11:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.3:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.1.2:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.6:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.0:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.0.0:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.11:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.4:::::::*
cpe:2.3:a:apple:webkit::::::::
cpe:2.3:a:aleksey:xml_security_library:1.2.15:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.1.0:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.1.0:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.5:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.0.4:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.15:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.6:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.7:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.4:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.14:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.1:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.8:::::::*

Related information, measures and tools

No	URL	タグ
1	http://git.gnome.org/browse/xmlsec/commit/?id=2d5eddcc4163ea050cf3a3a1a25452bb5124f780	Patch
2	http://git.gnome.org/browse/xmlsec/commit/?id=35eaacde6093d6711339754fc2146341b8b9f5fa	Patch
3	http://secunia.com/advisories/43920	Vendor Advisory
4	http://secunia.com/advisories/44167
5	http://secunia.com/advisories/44423
6	http://trac.webkit.org/changeset/79159
7	http://www.aleksey.com/pipermail/xmlsec/2011/009120.html	Patch
8	http://www.debian.org/security/2011/dsa-2219
9	http://www.mandriva.com/security/advisories?name=MDVSA-2011:063
10	http://www.redhat.com/support/errata/RHSA-2011-0486.html
11	http://www.securityfocus.com/bid/47135
12	http://www.securitytracker.com/id?1025284
13	http://www.vupen.com/english/advisories/2011/0855
14	http://www.vupen.com/english/advisories/2011/0858
15	http://www.vupen.com/english/advisories/2011/1010
16	http://www.vupen.com/english/advisories/2011/1172
17	https://bugs.webkit.org/show_bug.cgi?id=52688
18	https://bugzilla.redhat.com/show_bug.cgi?id=692133	Patch
19	https://exchange.xforce.ibmcloud.com/vulnerabilities/66506
20	http://git.gnome.org/browse/xmlsec/commit/?id=2d5eddcc4163ea050cf3a3a1a25452bb5124f780	Patch
21	https://exchange.xforce.ibmcloud.com/vulnerabilities/66506
22	https://bugzilla.redhat.com/show_bug.cgi?id=692133	Patch
23	https://bugs.webkit.org/show_bug.cgi?id=52688
24	http://www.vupen.com/english/advisories/2011/1172
25	http://www.vupen.com/english/advisories/2011/1010
26	http://www.vupen.com/english/advisories/2011/0858
27	http://www.vupen.com/english/advisories/2011/0855
28	http://www.securitytracker.com/id?1025284
29	http://www.securityfocus.com/bid/47135
30	http://www.redhat.com/support/errata/RHSA-2011-0486.html
31	http://www.mandriva.com/security/advisories?name=MDVSA-2011:063
32	http://www.debian.org/security/2011/dsa-2219
33	http://www.aleksey.com/pipermail/xmlsec/2011/009120.html	Patch
34	http://trac.webkit.org/changeset/79159
35	http://secunia.com/advisories/44423
36	http://secunia.com/advisories/44167
37	http://secunia.com/advisories/43920	Vendor Advisory
38	http://git.gnome.org/browse/xmlsec/commit/?id=35eaacde6093d6711339754fc2146341b8b9f5fa	Patch

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:aleksey:xml_security_library::::::::		1.2.16
cpe:2.3:a:aleksey:xml_security_library:0.0.3:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.10:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.2a:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.5:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.9:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.13:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.9:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.0.3:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.8:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.13:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.1.1:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.0.2:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.2:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.2:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.1.1:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.0.0:rc1::::::
cpe:2.3:a:aleksey:xml_security_library:1.2.14:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.12:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.10:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.0.1:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.1:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.7:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.11:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.3:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.1.2:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.6:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.0:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.0.0:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.11:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.4:::::::*
cpe:2.3:a:apple:webkit::::::::
cpe:2.3:a:aleksey:xml_security_library:1.2.15:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.1.0:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.1.0:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.5:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.0.4:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.15:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.6:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.7:::::::*
cpe:2.3:a:aleksey:xml_security_library:1.2.4:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.14:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.1:::::::*
cpe:2.3:a:aleksey:xml_security_library:0.0.8:::::::*