Lucene search

EclipseCVE-2018-12544

HistoryOct 10, 2018 - 8:29 p.m.

CVE-2018-12544

2018-10-1020:29:00

CWE-611

eclipse

web.nvd.nist.gov

eclipse vert.x

openapi

xml

validator

vulnerability

cve-2018-12544

nvd

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.003

Percentile

70.0%

JSON

In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.

Affected configurations

Nvd

Node

eclipsevert.xMatch3.5.0

eclipsevert.xMatch3.5.0beta1

eclipsevert.xMatch3.5.1

eclipsevert.xMatch3.5.2

eclipsevert.xMatch3.5.2cr1

eclipsevert.xMatch3.5.2cr2

eclipsevert.xMatch3.5.2cr3

eclipsevert.xMatch3.5.3

eclipsevert.xMatch3.5.3cr1

VendorProductVersionCPE
eclipsevert.x3.5.0cpe:2.3:a:eclipse:vert.x:3.5.0:*:*:*:*:*:*:*
eclipsevert.x3.5.0cpe:2.3:a:eclipse:vert.x:3.5.0:beta1:*:*:*:*:*:*
eclipsevert.x3.5.1cpe:2.3:a:eclipse:vert.x:3.5.1:*:*:*:*:*:*:*
eclipsevert.x3.5.2cpe:2.3:a:eclipse:vert.x:3.5.2:*:*:*:*:*:*:*
eclipsevert.x3.5.2cpe:2.3:a:eclipse:vert.x:3.5.2:cr1:*:*:*:*:*:*
eclipsevert.x3.5.2cpe:2.3:a:eclipse:vert.x:3.5.2:cr2:*:*:*:*:*:*
eclipsevert.x3.5.2cpe:2.3:a:eclipse:vert.x:3.5.2:cr3:*:*:*:*:*:*
eclipsevert.x3.5.3cpe:2.3:a:eclipse:vert.x:3.5.3:*:*:*:*:*:*:*
eclipsevert.x3.5.3cpe:2.3:a:eclipse:vert.x:3.5.3:cr1:*:*:*:*:*:*

Vendor	Product	Version	CPE
eclipse	vert.x	3.5.0	cpe:2.3:a:eclipse:vert.x:3.5.0:::::::*
eclipse	vert.x	3.5.0	cpe:2.3:a:eclipse:vert.x:3.5.0:beta1::::::
eclipse	vert.x	3.5.1	cpe:2.3:a:eclipse:vert.x:3.5.1:::::::*
eclipse	vert.x	3.5.2	cpe:2.3:a:eclipse:vert.x:3.5.2:::::::*
eclipse	vert.x	3.5.2	cpe:2.3:a:eclipse:vert.x:3.5.2:cr1::::::
eclipse	vert.x	3.5.2	cpe:2.3:a:eclipse:vert.x:3.5.2:cr2::::::
eclipse	vert.x	3.5.2	cpe:2.3:a:eclipse:vert.x:3.5.2:cr3::::::
eclipse	vert.x	3.5.3	cpe:2.3:a:eclipse:vert.x:3.5.3:::::::*
eclipse	vert.x	3.5.3	cpe:2.3:a:eclipse:vert.x:3.5.3:cr1::::::

CNA Affected

[
  {
    "product": "Eclipse Vert.x",
    "vendor": "The Eclipse Foundation",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "3.5.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "3.5.3",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

access.redhat.com/errata/RHSA-2018:2946

bugs.eclipse.org/bugs/show_bug.cgi?id=539568

github.com/vert-x3/vertx-web/issues/1021

lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.003

Percentile

70.0%

JSON

Related for CVE-2018-12544