GHSA-wr69-g62g-2r9h · Severity: critical · Ecosystem: maven — Improper Restriction of XML External Entity Reference in Apace Derby
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
Conclusion & alert: CVE-2015-1832 is rated Moderate Risk (62.5/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 0.82%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-03-17 | 0.63% | 0.82% | +0.19% |
| 2 | 2026-01-22 | 0.82% | 0.63% | -0.19% |
| 3 | 2026-01-19 | — | 0.82% | — |
Full EPSS history (14 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.1 | 3.0 | CRITICAL |
|
3.9 | 5.2 | [email protected] |
| 6.4 | 2.0 | MEDIUM |
|
10.0 | 4.9 | [email protected] |
GHSA-wr69-g62g-2r9h · Severity: critical · Ecosystem: maven — Improper Restriction of XML External Entity Reference in Apace Derby
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2015-1832 not yet assigned priority: Debian including 1 source packages (derby), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2015-1832 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2015-1832 |
ubuntu
|
medium | CVE-2015-1832 medium priority: Ubuntu including 1 source packages (derby), 23 status rows across 23 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, precise, questing, trusty, upstream, xenial, yakkety, zesty): not-affected 16, ignored 3, DNE 2, needed 1, released 1. | https://ubuntu.com/security/CVE-2015-1832 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apache | derby | 10.1.1.0 | cpe:2.3:a:apache:derby:10.1.1.0:*:*:*:*:*:*:* |
| apache | derby | 10.1.2.1 | cpe:2.3:a:apache:derby:10.1.2.1:*:*:*:*:*:*:* |
| apache | derby | 10.1.3.1 | cpe:2.3:a:apache:derby:10.1.3.1:*:*:*:*:*:*:* |
| apache | derby | 10.2.1.6 | cpe:2.3:a:apache:derby:10.2.1.6:*:*:*:*:*:*:* |
| apache | derby | 10.2.2.0 | cpe:2.3:a:apache:derby:10.2.2.0:*:*:*:*:*:*:* |
| apache | derby | 10.3.3.0 | cpe:2.3:a:apache:derby:10.3.3.0:*:*:*:*:*:*:* |
| apache | derby | 10.4.1.3 | cpe:2.3:a:apache:derby:10.4.1.3:*:*:*:*:*:*:* |
| apache | derby | 10.4.2.0 | cpe:2.3:a:apache:derby:10.4.2.0:*:*:*:*:*:*:* |
| apache | derby | 10.5.1.1 | cpe:2.3:a:apache:derby:10.5.1.1:*:*:*:*:*:*:* |
| apache | derby | 10.5.3.0 | cpe:2.3:a:apache:derby:10.5.3.0:*:*:*:*:*:*:* |
| apache | derby | 10.6.1.0 | cpe:2.3:a:apache:derby:10.6.1.0:*:*:*:*:*:*:* |
| apache | derby | 10.6.2.1 | cpe:2.3:a:apache:derby:10.6.2.1:*:*:*:*:*:*:* |
| apache | derby | 10.7.1.1 | cpe:2.3:a:apache:derby:10.7.1.1:*:*:*:*:*:*:* |
| apache | derby | 10.8.1.2 | cpe:2.3:a:apache:derby:10.8.1.2:*:*:*:*:*:*:* |
| apache | derby | 10.8.2.2 | cpe:2.3:a:apache:derby:10.8.2.2:*:*:*:*:*:*:* |
| apache | derby | 10.8.3.0 | cpe:2.3:a:apache:derby:10.8.3.0:*:*:*:*:*:*:* |
| apache | derby | 10.9.1.0 | cpe:2.3:a:apache:derby:10.9.1.0:*:*:*:*:*:*:* |
| apache | derby | 10.10.1.1 | cpe:2.3:a:apache:derby:10.10.1.1:*:*:*:*:*:*:* |
| apache | derby | 10.10.2.0 | cpe:2.3:a:apache:derby:10.10.2.0:*:*:*:*:*:*:* |
| apache | derby | 10.11.1.1 | cpe:2.3:a:apache:derby:10.11.1.1:*:*:*:*:*:*:* |