CVE-2014-5392
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
5.8
Description
XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| sos | jobscheduler | {"endIncluding":"1.6.4131"} | |
| sos | jobscheduler | 1.6.4014 | |
| sos | jobscheduler | 1.6.4043 | |
| sos | jobscheduler | 1.7.4177 | |
| sos | jobscheduler | 1.7.4189 | |
References
- http://packetstormsecurity.com/files/128181/JobScheduler-XML-eXternal-Entity-Injection.html
- http://www.christian-schneider.net/advisories/CVE-2014-5392.txt
- http://www.securityfocus.com/archive/1/533374/100/0/threaded
- http://www.sos-berlin.com/modules/news/article.php?storyid=73
- https://change.sos-berlin.com/browse/JS-1204
- http://packetstormsecurity.com/files/128181/JobScheduler-XML-eXternal-Entity-Injection.html
- http://www.christian-schneider.net/advisories/CVE-2014-5392.txt
- http://www.securityfocus.com/archive/1/533374/100/0/threaded
- http://www.sos-berlin.com/modules/news/article.php?storyid=73
- https://change.sos-berlin.com/browse/JS-1204
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.