Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA5OXAtNzI2aC1jOHY1

Apache juddi-client vulnerable to XML External Entity (XXE)

In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5.

Permalink: https://github.com/advisories/GHSA-p99p-726h-c8v5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA5OXAtNzI2aC1jOHY1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 6 years ago
Updated: almost 2 years ago


CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-p99p-726h-c8v5, CVE-2018-1307
References: Blast Radius: 15.4

Affected Packages

maven:org.apache.juddi:juddi-client
Dependent packages: 29
Dependent repositories: 79
Downloads:
Affected Version Ranges: >= 3.2, < 3.3.5
Fixed in: 3.3.5
All affected versions: 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4
All unaffected versions: 2.0.0, 2.0.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10