EUVD-2018-0798

Malware in sbrugna...

org.bedework.bwwebcl:bw-calendar-client-appcommon (=3.12.0), org.bedework.bwwebcl:bw-calendar-client-ear (=3.12.0) +33 more potentially affected by CVE-2018-20000 via org.bedework:bw-webdav (>=4.0.1 <=4.0.2)

org.bedework:bw-webdav MAVEN version =4.0.1, =4.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on org.bedework:bw-webdav and may be impacted: - org.bedework.bwwebcl:bw-calendar-client-appcommon =3.12.0 - org.bedework.bwwebcl:bw-calendar-client-ear...

XML External Entity (XXE)

bw-webdav is vulnerable to XML external entities attacks XXE. The parseContent function in webdav/servlet/common/MethodBase.java and the processXML function in webdav/servlet/common/PostRequestPars.java do not implement secure XML parsing which would allow a remote attacker to perform XXE attacks...

CVE-2018-20000

Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java...

CVE-2018-20000

Apereo Bedework bw-webdav contains an XML External Entity (XXE) vulnerability (CVE-2018-20000) in versions before 4.0.3. The issue arises in the XML parsing code paths used by a webdav servlet (notably MethodBase.java and PostRequestPars.java), allowing an attacker to read local files via special...

CVE-2018-20000

Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java...