CVE-2014-2053

NameCVE-2014-2053
DescriptiongetID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-56-1, DSA-3001-1
NVD severityhigh (attack range: remote)
Debian Bugs757312

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
owncloud (PTS)jessie (security)7.0.4+dfsg-4~deb8u3fixed
php-getid3 (PTS)wheezy1.9.3-1+deb7u2fixed
jessie1.9.8-3fixed
stretch1.9.12+dfsg-1fixed
buster, sid1.9.14+dfsg-1fixed
wordpress (PTS)wheezy3.6.1+dfsg-1~deb7u10fixed
wheezy (security)3.6.1+dfsg-1~deb7u16fixed
jessie4.1+dfsg-1+deb8u14fixed
jessie (security)4.1+dfsg-1+deb8u15fixed
stretch4.7.5+dfsg-2fixed
stretch (security)4.7.5+dfsg-2+deb9u1fixed
buster, sid4.8.2+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
owncloudsource(unstable)6.0.2+dfsg-1high
php-getid3source(unstable)1.9.7-2high
php-getid3sourcesqueeze(not affected)
php-getid3sourcewheezy1.9.3-1+deb7u1high
wordpresssource(unstable)3.9.2+dfsg-1high757312
wordpresssourcesqueeze3.6.1+dfsg-1~deb6u5highDLA-56-1
wordpresssourcewheezy3.6.1+dfsg-1~deb7u4highDSA-3001-1

Notes

[squeeze] - php-getid3 <not-affected> (Vulnerable code not present)
https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
http://owncloud.org/about/security/advisories/oC-SA-2014-006/
https://core.trac.wordpress.org/changeset/29390

Search for package or bug name: Reporting problems