XML External Entity Vulnerability in Logisim Evolution Software by C. Burch
CVE-2018-1000889

8.8HIGH

Key Information:

Vendor: Logisim-evolution Project
Status: Logisim-evolution
Vendor: CVE Published:; 28 December 2018

🔔 Create Logisim-evolution Project Vulnerability Alert

What is CVE-2018-1000889?

Logisim Evolution versions prior to 2.14.4 are vulnerable to an XML External Entity (XXE) attack in the Circuit file loading functionality. This security flaw may allow an attacker to extract sensitive information or potentially execute remote code, contingent on the system's configuration. The vulnerability is exploitable when a user opens a specially crafted circuit file, making it essential for users to update to version 2.14.4 or later to mitigate this risk.

References

https://github.com/reds-heig/logisim-evolution/pull/139

x_refsource_MISC

https://www.kvakil.me/posts/logisim/

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 28, 2018
Vulnerability Reserved
Dec 23, 2018

CVE-2018-1000889 Data

JSON