SB2019010908 - XXE attack in Apache Karaf
Published: January 9, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) XML External Entity injection (CVE-ID: CVE-2018-11788)
CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to conduct XXE-attack.
The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can deploy XML file directly in the deploy folder, trick the victim into opening it and obtain potentially sensitive information or cause the service to crash.
Remediation
Install update from vendor's website.