PT-2018-9568 · Oracle+1 · Jaxb+1

Jwilson

Publicado

2018-12-20

Atualizado

2019-07-01

CVE-2018-1000844

CVSS v3.1

9.1

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Square Open Source Retrofit versions prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437

Description The issue is related to a XML External Entity (XXE) vulnerability in JAXB, which can be exploited by an attacker to remotely read files from the file system or to perform Server-Side Request Forgery (SSRF).

Recommendations For Square Open Source Retrofit versions prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437, update to a version that includes the fix committed in 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 to resolve the issue. As a temporary workaround, consider restricting the use of JAXB to minimize the risk of exploitation.

Correção

XXE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-611

Identificadores relacionados

CVE-2018-1000844

GHSA-J379-9JR9-W5CQ

Produtos afetados

Jaxb

Retrofit

PT-2018-9568 · Oracle+1 · Jaxb+1

CVE-2018-1000844

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7