UBUNTU-CVE-2018-1000652

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2018-1000652

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-1000652.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2018-1000652

Upstream

CVE-2018-1000652

Published

2018-08-20T19:31:00Z

Modified

2025-10-24T04:47:21Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

JabRef version <=4.3.1 contains a XML External Entity (XXE) vulnerability in MsBibImporter XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted MsBib file. This vulnerability appears to have been fixed in after commit 89f855d.

References

Affected packages

Ubuntu:16.04:LTS / jabref

Package

Name: jabref
Purl: pkg:deb/ubuntu/jabref@2.10+ds-5?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.10+ds-4

2.10+ds-5

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "jabref",
            "binary_version": "2.10+ds-5"
        },
        {
            "binary_name": "jabref-plugin-oo",
            "binary_version": "2.10+ds-5"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-1000652.json"

Ubuntu:18.04:LTS / jabref