Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTkyd2oteDc4Yy1tNGZ4
XML External Entity Reference in Apache Karaf
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.
Permalink: https://github.com/advisories/GHSA-92wj-x78c-m4fxJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTkyd2oteDc4Yy1tNGZ4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 6 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-92wj-x78c-m4fx, CVE-2018-11788
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-11788
- http://karaf.apache.org/security/cve-2018-11788.txt
- https://github.com/apache/karaf/commit/0c36c50bc158739c8fc8543122a6740c54adafca
- https://web.archive.org/web/20200227101219/https://www.securityfocus.com/bid/106479/
- https://github.com/advisories/GHSA-92wj-x78c-m4fx
Blast Radius: 10.9
Affected Packages
maven:org.apache.karaf.specs:org.apache.karaf.specs.java.xml
Dependent packages: 5Dependent repositories: 13
Downloads:
Affected Version Ranges: < 4.1.7, >= 4.2.0, < 4.2.2
Fixed in: 4.1.7, 4.2.2
All affected versions: 4.2.0, 4.2.1
All unaffected versions: 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13, 4.2.14, 4.2.15, 4.2.16, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6