cnvd - cnvd-2019-02944

CNVD-2019-02944

Vulnerability from cnvd - Published: 2019-01-25

Title

Apache Karaf XML外部实体注入漏洞

Description

Apache Karaf是美国阿帕奇（Apache）软件基金会的一款用于部署应用程序和组件的轻量级的OSGi（Java动态化模块化系统）容器。 Apache Karaf 4.1.7之前版本和4.2.2之前版本中存在XML外部实体注入漏洞。攻击者可以利用此漏洞绕过安全限制或获取潜在的敏感信息。

Severity

中

Patch Name

Apache Karaf XML外部实体注入漏洞的补丁

Patch Description

Apache Karaf是美国阿帕奇（Apache）软件基金会的一款用于部署应用程序和组件的轻量级的OSGi（Java动态化模块化系统）容器。 Apache Karaf 4.1.7之前版本和4.2.2之前版本中存在XML外部实体注入漏洞。攻击者可以利用此漏洞绕过安全限制或获取潜在的敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布漏洞修复程序，请及时关注更新： https://gitbox.apache.org/repos/asf?p=karaf.git;h=1ffa6d1；https://gitbox.apache.org/repos/asf?p=karaf.git;h=cc3332e

Reference

http://karaf.apache.org/security/cve-2018-11788.txt

Impacted products

Name
['Apache Karaf <4.1.7', 'Apache Karaf <4.2.2']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "106479"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-11788"
    }
  },
  "description": "Apache Karaf\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u7528\u4e8e\u90e8\u7f72\u5e94\u7528\u7a0b\u5e8f\u548c\u7ec4\u4ef6\u7684\u8f7b\u91cf\u7ea7\u7684OSGi\uff08Java\u52a8\u6001\u5316\u6a21\u5757\u5316\u7cfb\u7edf\uff09\u5bb9\u5668\u3002\n\nApache Karaf 4.1.7\u4e4b\u524d\u7248\u672c\u548c4.2.2\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u6216\u83b7\u53d6\u6f5c\u5728\u7684\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "Brian Wang",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://gitbox.apache.org/repos/asf?p=karaf.git;h=1ffa6d1\uff1bhttps://gitbox.apache.org/repos/asf?p=karaf.git;h=cc3332e",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-02944",
  "openTime": "2019-01-25",
  "patchDescription": "Apache Karaf\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u7528\u4e8e\u90e8\u7f72\u5e94\u7528\u7a0b\u5e8f\u548c\u7ec4\u4ef6\u7684\u8f7b\u91cf\u7ea7\u7684OSGi\uff08Java\u52a8\u6001\u5316\u6a21\u5757\u5316\u7cfb\u7edf\uff09\u5bb9\u5668\u3002\r\n\r\nApache Karaf 4.1.7\u4e4b\u524d\u7248\u672c\u548c4.2.2\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u6216\u83b7\u53d6\u6f5c\u5728\u7684\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Karaf  XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Karaf \u003c4.1.7",
      "Apache Karaf \u003c4.2.2"
    ]
  },
  "referenceLink": "http://karaf.apache.org/security/cve-2018-11788.txt",
  "serverity": "\u4e2d",
  "submitTime": "2019-01-08",
  "title": "Apache Karaf  XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2018-11788 (GCVE-0-2018-11788)

Vulnerability from cvelistv5 – Published: 2019-01-07 16:00 – Updated: 2024-08-05 08:17

Summary

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

Severity ?

No CVSS data available.

CWE

XXE vulnerability

Assigner

apache

References

URL

Tags

	http://karaf.apache.org/security/cve-2018-11788.txt	x_refsource_MISC
	http://www.securityfocus.com/bid/106479	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Karaf	Affected: Any Apache Karaf version prior to 4.1.7 and 4.2.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:17:09.240Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://karaf.apache.org/security/cve-2018-11788.txt"
          },
          {
            "name": "106479",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/106479"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Karaf",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Any Apache Karaf version prior to 4.1.7 and 4.2.2"
            }
          ]
        }
      ],
      "datePublic": "2019-01-07T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Karaf provides a features deployer, which allows users to \"hot deploy\" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn\u0027t contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "XXE vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-01-09T10:57:01",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://karaf.apache.org/security/cve-2018-11788.txt"
        },
        {
          "name": "106479",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/106479"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2018-11788",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Karaf",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Any Apache Karaf version prior to 4.1.7 and 4.2.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Karaf provides a features deployer, which allows users to \"hot deploy\" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn\u0027t contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "XXE vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://karaf.apache.org/security/cve-2018-11788.txt",
              "refsource": "MISC",
              "url": "http://karaf.apache.org/security/cve-2018-11788.txt"
            },
            {
              "name": "106479",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/106479"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2018-11788",
    "datePublished": "2019-01-07T16:00:00",
    "dateReserved": "2018-06-05T00:00:00",
    "dateUpdated": "2024-08-05T08:17:09.240Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-02944

CVE-2018-11788 (GCVE-0-2018-11788)

Tags

Sightings

Nomenclature