CVE-2018-11788

Summary

CVE	CVE-2018-11788
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-01-07 16:29:00 UTC
Updated	2019-02-12 20:38:00 UTC
Description	Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

Risk And Classification

Problem Types: CWE-611

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Karaf	All	All	All	All
Application	Apache	Karaf	4.2.0	milestone1	All	All
Application	Apache	Karaf	4.2.0	milestone2	All	All
Application	Apache	Karaf	All	All	All	All
Application	Apache	Karaf	4.2.0	milestone1	All	All
Application	Apache	Karaf	4.2.0	milestone2	All	All
Application	Apache	Karaf	All	All	All	All

References

Reference	Source	Link	Tags
karaf.apache.org/security/cve-2018-11788.txt	MISC	karaf.apache.org	Vendor Advisory
Apache Karaf CVE-2018-11788 XML External Entity Injection Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

376223 Apache Karaf Multiple Vulnerabilities
981176 Java (maven) Security Update for org.apache.karaf:karaf (GHSA-92wj-x78c-m4fx)