CVE-2018-12544

EPSS 0.62%
Veröffentlicht 10.10.2018 20:29:00
Zuletzt bearbeitet 21.11.2024 03:45:24
Quelle emo@eclipse.org
Teams Watchlist Login
Unerledigt Login

In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Eclipse ≫ Vert.X Version3.5.0

Eclipse ≫ Vert.X Version3.5.0 Updatebeta1

Eclipse ≫ Vert.X Version3.5.1

Eclipse ≫ Vert.X Version3.5.2

Eclipse ≫ Vert.X Version3.5.2 Updatecr1

Eclipse ≫ Vert.X Version3.5.2 Updatecr2

Eclipse ≫ Vert.X Version3.5.2 Updatecr3

Eclipse ≫ Vert.X Version3.5.3

Eclipse ≫ Vert.X Version3.5.3 Updatecr1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.62%	0.691

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E

https://access.redhat.com/errata/RHSA-2018:2946

Third Party Advisory

https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568

Patch

Vendor Advisory

Issue Tracking

https://github.com/vert-x3/vertx-web/issues/1021

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-12544

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-12544

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-12544

EUVD