CVE-2018-1307

CWE-611XML External Entity (XXE)CWE-776XML Entity Expansion (Billion Laughs)6 documents6 sources
Severity
8.1HIGH
EPSS
1.1%
top 21.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache JuddiApache Software Foundation Apache Juddi
Timeline
PublishedFeb 9
Latest updateOct 19

Description

In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

Mavenorg.apache.juddi:juddi-client3.23.3.5
NVDapache/juddi3.23.3.4

Patches

Patch: issues.apache.orgPatch: issues.apache.org

🔴Vulnerability Details

3
GHSA
Apache juddi-client vulnerable to XML External Entity (XXE)2018-10-19
OSV
Apache juddi-client vulnerable to XML External Entity (XXE)2018-10-19
CVEList
CVE-2018-1307: In Apache jUDDI 32018-02-09

📋Vendor Advisories

1
Red Hat
juddi-client: XML Entity Expansion in WADL2Java or WSDL2Java classes2017-11-10

💬Community

1
Bugzilla
CVE-2018-1307 juddi-client: XML Entity Expansion in WADL2Java or WSDL2Java classes2018-02-09
CVE-2018-1307 (HIGH CVSS 8.1) | In Apache jUDDI 3.2 through 3.3.4 | cvebase.io