CVE-2018-11788

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-11788

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11788.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-11788

Aliases

GHSA-92wj-x78c-m4fx

Published

2019-01-07T16:29:00Z

Modified

2024-09-03T02:03:56.014779Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

References

Affected packages

Git / github.com/apache/karaf

Affected ranges

Type: GIT
Repo: https://github.com/apache/karaf
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2b609475dab4e504d5136ecc1f506b4365f9a111

Affected versions

karaf-3.*

karaf-3.0.0

karaf-4.*

karaf-4.0.0

karaf-4.0.0.M1

karaf-4.0.0.M2

karaf-4.0.0.M3

karaf-4.0.1

karaf-4.0.2

karaf-4.0.3

karaf-4.0.4

karaf-4.1.0

karaf-4.1.1

karaf-4.1.2

karaf-4.1.3

karaf-4.1.4

karaf-4.1.5

karaf-4.1.6