CVE-2017-12621
Description
Apache Commons Jelly before 1.0.1 is vulnerable to XXE attacks via a crafted Jelly XML file with a custom doctype SYSTEM entity.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Commons Jelly before 1.0.1 is vulnerable to XXE attacks via a crafted Jelly XML file with a custom doctype SYSTEM entity.
Vulnerability
Apache Commons Jelly before version 1.0.1 is vulnerable to XML External Entity (XXE) attacks during parsing of Jelly XML files. When a custom doctype entity is declared with a "SYSTEM" entity containing a URL and that entity is used in the Jelly file, the parser attempts to connect to the URL [1][3]. This occurs when using Apache Xerces as the underlying XML parser [1].
Exploitation
An attacker can craft a Jelly XML file with a malicious doctype declaration that defines an external entity pointing to an attacker-controlled URL. If a victim or system parses this file (e.g., via a web application that processes user-uploaded Jelly files), the parser will attempt to fetch the URL, potentially leaking sensitive data or performing other XXE-based actions [3]. No authentication is required if the parser processes untrusted content.
Impact
Successful exploitation allows a remote attacker to conduct XML external entity attacks, leading to disclosure of system information, user information, or other sensitive data [3]. The impact is limited to the privileges of the process parsing the Jelly file.
Mitigation
The vulnerability is fixed in Apache Commons Jelly version 1.0.1 [3][4]. Users should upgrade to this version or later. No workaround is available for earlier versions. The fix was released in September 2017.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
commons-jelly:commons-jellyMaven | < 1.0.1 | 1.0.1 |
Affected products
2- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- issues.apache.org/jira/browse/JELLY-293nvdIssue TrackingPatchVendor AdvisoryWEB
- www.securityfocus.com/bid/101052nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039444nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-6g33-82gc-3pw5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-12621ghsaADVISORY
- lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73@%3Cdev.commons.apache.org%3EghsaWEB
- web.archive.org/web/20200227144849/http://www.securityfocus.com/bid/101052ghsaWEB
- web.archive.org/web/20210303081618/http://www.securitytracker.com/id/1039444ghsaWEB
- lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73%40%3Cdev.commons.apache.org%3Envd
News mentions
0No linked articles in our index yet.