CVE-2018-11788

CWE-611 — XML External Entity (XXE)6 documents6 sources

Severity

9.8CRITICAL

EPSS

24.7%

top 3.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Karaf Apache Software Foundation Apache Karaf

Timeline

PublishedJan 7

Description

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/karaf4.2.0 — 4.2.1+2

▶Mavenorg.apache.karaf.specs:org.apache.karaf.specs.java.xml4.2.0 — 4.2.2+1

▶CVEListV5apache_software_foundation/apache_karafAny Apache Karaf version prior to 4.1.7 and 4.2.2

🔴Vulnerability Details

OSV

XML External Entity Reference in Apache Karaf↗2019-01-07

▶

GHSA

XML External Entity Reference in Apache Karaf↗2019-01-07

▶

CVEList

CVE-2018-11788: Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder↗2019-01-07

▶

📋Vendor Advisories

Red Hat

karaf: XML external entity processing↗2019-01-06

▶

💬Community

Bugzilla

CVE-2018-11788 karaf: XML external entity processing↗2019-01-07

▶