CVE-2018-11788

Description

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

CVSS Version 3.0
CVSS Version 2.0

nvd
CVE ID: CVE-2018-11788
Base Score: 9.8
Base Severity: CRITICAL
Vector String:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

nvd
CVE ID: CVE-2018-11788
Base Score: 7.5
Base Severity: HIGH
Vector String:AV:N/AC:L/Au:N/C:P/I:P/A:P

Proof Of Concept

brianwrf

Apache Karaf XXE Vulnerability (CVE-2018-11788)

Refrence: GitHub

Refrence: NVD

Description​

Proof Of Concept​

Description

Proof Of Concept