7.5
HIGH

CVE-2018-11788

Published: 07/01/2019 Updated: 12/02/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

Vulnerability Summary

Apache Karaf Hot Deploy Feature XML External Entity Injection Vulnerability

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

A vulnerability in Apache Karaf could allow an unauthenticated, remote attacker to gain access to sensitive information or consume memory resources on a targeted system. The vulnerability is due to improper processing of XML data by the hot deploy feature of the affected software. An attacker could exploit this vulnerability by persuading a user to open an XML file that submits malicious input to the targeted system. A successful exploit could cause an XML External Entity (XXE) injection attack, allowing the attacker to gain access to sensitive information or consume memory resources on the targeted system. Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available. Apache confirmed the vulnerability and released software updates.

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Complexity: LOW
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheKaraf2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.2.1

Vendor Advisories

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder The features XML is parsed by XMLInputFactory class Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE This is a potential security risk as an user can inject external XM ...

Github Repositories

Summary Apache Karaf is a modern and polymorphic applications container It's a lightweight, powered, and enterprise ready container powered by OSGi Apache Karaf is a "product project", providing a complete and turnkey runtime The runtime is "multi-facets", meaning that you can deploy different kind of applications: OSGi or non OSGi, webapplication, s

TechArticles A set of tech articles Table of Contents 渗透测试学习笔记之综合渗透案例一 Apache Karaf XXE Vulnerability (CVE-2018-11788) Magento Unauthorized Remote Code Execution (CVE-2016-4010) Apache Tika Denial of Service Vulnerability (CVE-2018-11761)

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

References