Joern Kottmann

Name of the Vulnerable Software and Affected Versions: Apache uimaj versions prior to 2.10.2 Apache uimaj 3.0.0-xxx versions prior to 3.0.0-beta Apache uima-as versions prior to 2.10.2 Apache uimaFIT versions prior to 2.4.0 Apache uimaDUCC versions prior to 2.2.2 Description: The issue relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA, as part of its configuration and operation, may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content. Recommendations: For Apache uimaj versions prior to 2.10.2, update to version 2.10.2 or later. For Apache uimaj 3.0.0-xxx versions prior to 3.0.0-beta, update to version 3.0.0-beta or later. For Apache uima-as versions prior to 2.10.2, update to version 2.10.2 or later. For Apache uimaFIT versions prior to 2.4.0, update to version 2.4.0 or later. For Apache uimaDUCC versions prior to 2.2.2, update to version 2.2.2 or later.