BID:106479

Apache Karaf CVE-2018-11788 XML External Entity Injection Vulnerability

CVE-2018-11788 |

Info

Apache Karaf CVE-2018-11788 XML External Entity Injection Vulnerability

Bugtraq ID:	106479
Class:	Design Error
CVE:	CVE-2018-11788
Remote:	Yes
Local:	No
Published:	Jan 07 2019 12:00AM
Updated:	Jan 07 2019 12:00AM
Credit:	Brian Wang
Vulnerable:	Apache Karaf 4.2.1 Apache Karaf 4.2 Apache Karaf 4.1.6 Apache Karaf 4.1.5 Apache Karaf 4.1.4 Apache Karaf 4.1.3 Apache Karaf 4.1.1 Apache Karaf 4.1

Not Vulnerable:	Apache Karaf 4.2.2 Apache Karaf 4.1.7

Exploit / POC

Apache Karaf CVE-2018-11788 XML External Entity Injection Vulnerability

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

Solution / Fix

Apache Karaf CVE-2018-11788 XML External Entity Injection Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

References

Apache Karaf CVE-2018-11788 XML External Entity Injection Vulnerability

References:

Apache Homepage (Apache)
Apache Karaf Home Page (Apache)
Apache Karaf Product Page (Apache)
Apache Karaf XXE Vulnerability (CVE-2018-11788) (Github)
[SECURITY] New security advisory for CVE-2018-11788 released for Apache Karaf (Seclist)
CVE-2018-11788 karaf: XML external entity processing (Redhat)
CVE-2018-11788: XXE vulnerability found on Apache Karaf (Apache)
Red Hat Bugzilla �?? Bug 1663857 (Red Hat Bugzilla)