PT-2019-4260 · Apache · Apache Karaf

Published

2019-01-07

Updated

2019-02-12

CVE-2018-11788

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache Karaf versions prior to 4.1.7 Apache Karaf versions prior to 4.2.2

Description The issue is related to the XMLInputFactory class in Apache Karaf, which lacks mitigation against XXE attacks. This allows an attacker to inject external XML entities, potentially leading to arbitrary code execution. The vulnerability is associated with the incorrect restriction of XML links to external objects.

Recommendations For Apache Karaf versions prior to 4.1.7, update to version 4.1.7 or later to resolve the issue. For Apache Karaf versions prior to 4.2.2, update to version 4.2.2 or later to resolve the issue.

Exploit

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

BDU:2019-04862

CVE-2018-11788

GHSA-92WJ-X78C-M4FX

Affected Products

Apache Karaf

PT-2019-4260 · Apache · Apache Karaf

CVE-2018-11788

Weakness Enumeration

Related Identifiers

Affected Products

References · 11