Lucene search

GitHub Advisory DatabaseGHSA-P99P-726H-C8V5

HistoryOct 19, 2018 - 4:42 p.m.

Apache juddi-client vulnerable to XML External Entity (XXE)

2018-10-1916:42:15

CWE-611

GitHub Advisory Database

github.com

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

45.1%

JSON

In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5.

Affected configurations

Vulners

Node

org.apache.juddijuddi-clientRange3.2–3.3.5

VendorProductVersionCPE
org.apache.juddijuddi-client*cpe:2.3:a:org.apache.juddi:juddi-client:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.juddi	juddi-client	*	cpe:2.3:a:org.apache.juddi:juddi-client::::::::

References

juddi.apache.org/security.html

github.com/advisories/GHSA-p99p-726h-c8v5

issues.apache.org/jira/browse/JUDDI-987

nvd.nist.gov/vuln/detail/CVE-2018-1307

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

45.1%

JSON

Related for GHSA-P99P-726H-C8V5