GHSA-92wj-x78c-m4fx

Suggest an improvement
Source
https://github.com/advisories/GHSA-92wj-x78c-m4fx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-92wj-x78c-m4fx/GHSA-92wj-x78c-m4fx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-92wj-x78c-m4fx
Aliases
Published
2019-01-07T19:14:49Z
Modified
2024-02-16T08:17:38.125040Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
XML External Entity Reference in Apache Karaf
Details

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:27:16Z"
}
References

Affected packages

Maven / org.apache.karaf.specs:org.apache.karaf.specs.java.xml

Package

Name
org.apache.karaf.specs:org.apache.karaf.specs.java.xml
View open source insights on deps.dev
Purl
pkg:maven/org.apache.karaf.specs/org.apache.karaf.specs.java.xml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0
Fixed
4.2.2

Affected versions

4.*

4.2.0
4.2.1

Maven / org.apache.karaf.specs:org.apache.karaf.specs.java.xml

Package

Name
org.apache.karaf.specs:org.apache.karaf.specs.java.xml
View open source insights on deps.dev
Purl
pkg:maven/org.apache.karaf.specs/org.apache.karaf.specs.java.xml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.7