Main Vulnerability Database Vulnerabilities #VU16895

XML External Entity injection in Karaf - CVE-2018-11788

Published: January 9, 2019

Vulnerability identifier: #VU16895

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:L/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-11788

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Karaf

Detailed vulnerability description

The vulnerability allows a remote attacker to conduct XXE-attack.

The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can deploy XML file directly in the deploy folder, trick the victim into opening it and obtain potentially sensitive information or cause the service to crash.

How to mitigate CVE-2018-11788

Install updates from vendor's website.

Sources

http://karaf.apache.org/security/cve-2018-11788.txt

XML External Entity injection in Karaf - CVE-2018-11788

Detailed vulnerability description

How to mitigate CVE-2018-11788

Sources

Please verify you're human