Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA5OXAtNzI2aC1jOHY1
Apache juddi-client vulnerable to XML External Entity (XXE)
In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5.
Permalink: https://github.com/advisories/GHSA-p99p-726h-c8v5JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA5OXAtNzI2aC1jOHY1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: over 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-p99p-726h-c8v5, CVE-2018-1307
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1307
- https://github.com/advisories/GHSA-p99p-726h-c8v5
- https://issues.apache.org/jira/browse/JUDDI-987
- http://juddi.apache.org/security.html
Affected Packages
maven:org.apache.juddi:juddi-client
Dependent packages: 29Dependent repositories: 79
Downloads:
Affected Version Ranges: >= 3.2, < 3.3.5
Fixed in: 3.3.5
All affected versions: 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4
All unaffected versions: 2.0.0, 2.0.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10