CVE Vulnerability

CVE-2018-11788

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

7.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://karaf.apache.org/security/cve-2018-11788.txt Vendor Advisory
http://www.securityfocus.com/bid/106479 Third Party Advisory VDB Entry
Configurations

Configuration 1

cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:karaf:4.2.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:karaf:4.2.0:milestone2:*:*:*:*:*:*
Information

Published : 2019-01-07 04:29

Updated : 2019-02-12 08:38

NVD link : CVE-2018-11788

Mitre link : CVE-2018-11788

Products Affected
No products.
CWE
CWE-611

Improper Restriction of XML External Entity Reference