SB2019010908 - XXE attack in Apache Karaf



SB2019010908 - XXE attack in Apache Karaf

Published: January 9, 2019

Security Bulletin ID SB2019010908
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) XML External Entity injection (CVE-ID: CVE-2018-11788)

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:L/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to conduct XXE-attack.

The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can deploy XML file directly in the deploy folder, trick the victim into opening it and obtain potentially sensitive information or cause the service to crash.

Remediation

Install update from vendor's website.