CVE-2018-11788

high-risk
Published 2019-01-07

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

Do I need to act?

!
24.7% chance of exploitation in next 30 days
EPSS score — higher than 75% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (3)

Karaf
Karaf
Karaf

Affected Vendors

Apache

References (4)

Vendor Advisory http://karaf.apache.org/security/cve-2018-11788.txt
Third Party Advisory http://www.securityfocus.com/bid/106479
Vendor Advisory http://karaf.apache.org/security/cve-2018-11788.txt
Third Party Advisory http://www.securityfocus.com/bid/106479
56
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 15/34 · Moderate
Exposure 9/34 · Low