#VU16643 XXE attack in Apache Oozie


Published: 2018-12-19 | Updated: 2018-12-20

Vulnerability identifier: #VU16643

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-11799

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Oozie
Client/Desktop applications / Software for system administration

Vendor: Apache Foundation

Description
The vulnerability allows a remote attacker to conduct XXE-attack.

The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the victim into opening an XML file that submits malicious input and impersonate other users.

Mitigation
Update to version 5.1.0.

Vulnerable software versions

Apache Oozie: 3.1.1 - 5.0.0

External links
http://lists.apache.org/thread.html/347e7a8cb86014b7ca37e49eb00b8d088203bdc0bcfb4799f8e5955a@%3Cuse...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


XXE attack in Apache Oozie