CVE-2018-11788

EPSS 24.75%
Published 07.01.2019 16:29:00
Last modified 21.11.2024 03:44:02
Source security@apache.org
Teams watchlist Login
Open Login

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Karaf Version < 4.1.7

Apache ≫ Karaf Version >= 4.2.0 <= 4.2.1

Apache ≫ Karaf Version4.2.0 Updatemilestone1

Apache ≫ Karaf Version4.2.0 Updatemilestone2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	24.75%	0.956

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

http://karaf.apache.org/security/cve-2018-11788.txt

Vendor Advisory

http://www.securityfocus.com/bid/106479

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2018-11788

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-11788

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-11788

EUVD