GHSA-xmvg-w4f9-99r7

Source

https://github.com/advisories/GHSA-xmvg-w4f9-99r7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-xmvg-w4f9-99r7/GHSA-xmvg-w4f9-99r7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xmvg-w4f9-99r7

Aliases

CVE-2018-1000836

Published

2018-12-20T22:02:51Z

Modified

2024-02-17T05:36:31.664167Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

XML External Entity (XXE) vulnerability in bw-calendar-engine

Details

bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:03:50Z"
}

References

Affected packages

Maven / org.bedework.caleng:bw-calendar-engine

Package

Name: org.bedework.caleng:bw-calendar-engine; View open source insights on deps.dev
Purl: pkg:maven/org.bedework.caleng/bw-calendar-engine

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.12.2

Affected versions

3.*

3.12.0

3.12.1

3.12.2