CVE-2018-1000644

moderate-risk
Published 2018-08-20

Eclipse RDF4j version < 2.4.0 Milestone 2 contains a XML External Entity (XXE) vulnerability in RDF4j XML parser parsing RDF files that can result in the disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted RDF file.

Do I need to act?

-
0.36% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: ac4e1467d0cdb2c4069a6f86a8d180cec5f9f2d4
10
CVSS 10.0/10 Critical
NETWORK / LOW complexity

Affected Products (4)

Rdf4J
Rdf4J
Rdf4J
Rdf4J

Affected Vendors

Eclipse

References (4)

Third Party Advisory https://0dd.zone/2018/08/05/rdf4j-XXE/
Patch https://github.com/eclipse/rdf4j/issues/1056
Third Party Advisory https://0dd.zone/2018/08/05/rdf4j-XXE/
Patch https://github.com/eclipse/rdf4j/issues/1056
44
/ 100
moderate-risk
Severity 33/34 · Critical
Exploitability 1/34 · Minimal
Exposure 10/34 · Low