CVE-2018-1311

CWE-416 — Use After Free20 documents11 sources

Severity

8.1HIGH

EPSS

4.2%

top 11.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Xerces C++Apache Xerces-c\+\+Oracle Goldengate +9 more

Timeline

PublishedDec 18

Latest updateFeb 16

Description

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages9 packages

▶NVDapache/xerces-c\+\+3.0.0 — 3.2.5

▶CVEListV5apache_software_foundation/apache_xerces_c++3.0.0 — 3.2.5

▶CVEListV5apache_software_foundation/apache_xerces-c3.0.0 to 3.2.2

▶Debianxerces-c< 3.2.3+debian-2+3

▶Ubuntuxerces-c< 3.2.2+debian-1ubuntu0.2+4

Also affects: Debian Linux 10.0, 9.0, Fedora 38, 39, Enterprise Linux 7.7

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

xerces-c vulnerabilities↗2024-01-18

▶

GHSA

GHSA-7rpp-hwhj-9hv8: The Apache Xerces-C 3↗2022-05-24

▶

OSV

CVE-2018-1311: The Apache Xerces-C 3↗2019-12-18

▶

CVEList

CVE-2018-1311: The Apache Xerces-C 3↗2019-12-18

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Windows Kernel - 'nt!RtlpCopyLegacyContextX86' Stack Memory Disclosure↗2018-02-20

▶

📋Vendor Advisories

Red Hat

xerces-c: duplicate CVE to announce correct fixed-in versions↗2024-02-16

▶

Ubuntu

Xerces-C++ vulnerabilities↗2024-01-18

▶

Ubuntu

Xerces-C++ vulnerability↗2024-01-16

▶

Ubuntu

Xerces-C++ vulnerability↗2024-01-11

▶

Oracle

Oracle Oracle JD Edwards Risk Matrix: Enterprise Infrastructure (Apache Xerces-C++) — CVE-2018-1311↗2023-04-15

▶

💬Community

Bugzilla

CVE-2018-1311 xerces-c: XML parser contains a use-after-free error triggered during the scanning of external DTDs [fedora-all]↗2020-01-07

▶

Bugzilla

CVE-2018-1311 xerces-c: XML parser contains a use-after-free error triggered during the scanning of external DTDs↗2020-01-07

▶

Bugzilla

CVE-2018-1311 xerces-c: XML parser contains a use-after-free error triggered during the scanning of external DTDs [epel-8]↗2020-01-07

▶

Bugzilla

CVE-2018-1311 xerces-c: XML parser contains a use-after-free error triggered during the scanning of external DTDs [epel-6]↗2020-01-07

▶