CVE-2018-11758

Name of the Vulnerable Software and Affected Versions Apache Cayenne versions 3.1 through 3.1.2 Apache Cayenne versions 3.2.M1 Apache Cayenne versions 4.0.B1 through 4.0.RC1 Apache Cayenne versions 4.0.M2 through 4.0.M5 Apache Cayenne version 4.1.M1

Description The issue affects CayenneModeler, a desktop GUI tool for editing Cayenne ORM models stored as XML files. An attacker can trick a user into opening a malicious XML file, allowing the attacker to transfer files from the local machine to a remote machine. This is caused by the XML parser processing XML External Entity (XXE) declarations in XML files.

Recommendations For Apache Cayenne versions 3.1 through 3.1.2, update to a version where XXE processing is disabled in all operations that require XML parsing. For Apache Cayenne versions 3.2.M1, update to a version where XXE processing is disabled in all operations that require XML parsing. For Apache Cayenne versions 4.0.B1 through 4.0.RC1, update to a version where XXE processing is disabled in all operations that require XML parsing. For Apache Cayenne versions 4.0.M2 through 4.0.M5, update to a version where XXE processing is disabled in all operations that require XML parsing. For Apache Cayenne version 4.1.M1, update to a version where XXE processing is disabled in all operations that require XML parsing.