Main Vulnerability Database Vulnerabilities #VU16895

#VU16895 XML External Entity injection in Karaf - CVE-2018-11788

Published: January 9, 2019

Vulnerability identifier: #VU16895

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:L/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-11788

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Karaf

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to conduct XXE-attack.

The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can deploy XML file directly in the deploy folder, trick the victim into opening it and obtain potentially sensitive information or cause the service to crash.

Remediation

Install updates from vendor's website.

External links

http://karaf.apache.org/security/cve-2018-11788.txt

#VU16895 XML External Entity injection in Karaf - CVE-2018-11788

Description

Remediation

External links

Please verify you're human