CVE-2018-11788

EPSS 24.75%
Veröffentlicht 07.01.2019 16:29:00
Zuletzt bearbeitet 21.11.2024 03:44:02
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Karaf Version < 4.1.7

Apache ≫ Karaf Version >= 4.2.0 <= 4.2.1

Apache ≫ Karaf Version4.2.0 Updatemilestone1

Apache ≫ Karaf Version4.2.0 Updatemilestone2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	24.75%	0.956

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

http://karaf.apache.org/security/cve-2018-11788.txt

Vendor Advisory

http://www.securityfocus.com/bid/106479

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2018-11788

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-11788

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-11788

EUVD