CVE-2018-11788

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Karaf
Vendor: CVE Published:; 7 January 2019

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

Affected Version(s)

Apache Karaf Any Apache Karaf version prior to 4.1.7 and 4.2.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-11788
Created by brianwrf

References

http://karaf.apache.org/security/cve-2018-11788.txt

x_refsource_MISC

http://www.securityfocus.com/bid/106479

vdb-entryx_refsource_BID

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 7, 2019
🟡
Public PoC available
Jan 6, 2019
👾
Exploit known to exist
Jan 6, 2019
Vulnerability Reserved
Jun 5, 2018