XML External Entity Vulnerability in Apache Cayenne's CayenneModeler Tool
CVE-2018-11758

8.1HIGH

Key Information:

Vendor: Apache
Status: Apache Cayenne
Vendor: CVE Published:; 22 August 2018

Summary

Apache Cayenne's CayenneModeler, a desktop GUI tool for editing ORM models stored as XML, is susceptible to an XML External Entity (XXE) vulnerability. This allows attackers to manipulate users into opening malicious XML files. If exploited, this could enable attackers to instruct the built-in XML parser to transfer files from the user's local environment to a remote server under their control. To mitigate this security risk, XXE processing has been disabled in all operations that require XML parsing within Cayenne.

Affected Version(s)

Apache Cayenne 4.1.M1

Apache Cayenne 3.2.M1, 4.0.M2 to 4.0.M5, 4.0.B1, 4.0.B2, 4.0.RC1

Apache Cayenne 3.1, 3.1.1, 3.1.2

References

https://lists.apache.org/thread.html/ed60a4d329be3c722f10...

mailing-listx_refsource_MLIST

http://www.securityfocus.com/bid/105142

vdb-entryx_refsource_BID

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Aug 22, 2018
Vulnerability Reserved
Jun 5, 2018