GitHub Advisory DatabaseGHSA-JXM5-5XCW-H57Qexist-db:exist-core XML External Entity (XXE) vulnerability
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
61.3%
exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| org.exist-db | exist-core | * | cpe:2.3:a:org.exist-db:exist-core:*:*:*:*:*:*:*:* |
References
0dd.zone/2018/10/27/exist-XXE/
github.com/advisories/GHSA-jxm5-5xcw-h57q
github.com/eXist-db/exist/commit/1c3f0aec14d00bdbca175713af70cb7c7b868e9f
github.com/eXist-db/exist/commit/b210f9fbf379b68842f2b055dda80d7e7479e96f
github.com/eXist-db/exist/issues/2180
github.com/eXist-db/exist/pull/2243
github.com/eXist-db/exist/pull/2247
nvd.nist.gov/vuln/detail/CVE-2018-1000823
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
61.3%