cvelistv5 - cve-2018-12544

CVE-2018-12544 (GCVE-0-2018-12544)

Vulnerability from cvelistv5 – Published: 2018-10-10 20:00 – Updated: 2024-08-05 08:38

Summary

In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.

Severity ?

No CVSS data available.

CWE

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Assigner

eclipse

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2018:2946	vendor-advisoryx_refsource_REDHAT
	https://github.com/vert-x3/vertx-web/issues/1021	x_refsource_CONFIRM
	https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568	x_refsource_CONFIRM
	https://lists.apache.org/thread.html/rd0e44e8ef71…	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	The Eclipse Foundation	Eclipse Vert.x	Affected: 3.5.0 , < unspecified (custom) Affected: unspecified , ≤ 3.5.3 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:38:06.199Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2018:2946",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2946"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/vert-x3/vertx-web/issues/1021"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568"
          },
          {
            "name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Eclipse Vert.x",
          "vendor": "The Eclipse Foundation",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "3.5.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2018-10-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-16T05:06:24",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "name": "RHSA-2018:2946",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2946"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vert-x3/vertx-web/issues/1021"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568"
        },
        {
          "name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@eclipse.org",
          "ID": "CVE-2018-12544",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Eclipse Vert.x",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "3.5.0"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "3.5.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "The Eclipse Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-611: Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2018:2946",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2946"
            },
            {
              "name": "https://github.com/vert-x3/vertx-web/issues/1021",
              "refsource": "CONFIRM",
              "url": "https://github.com/vert-x3/vertx-web/issues/1021"
            },
            {
              "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568",
              "refsource": "CONFIRM",
              "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568"
            },
            {
              "name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2018-12544",
    "datePublished": "2018-10-10T20:00:00",
    "dateReserved": "2018-06-18T00:00:00",
    "dateUpdated": "2024-08-05T08:38:06.199Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:vert.x:3.5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B578D87B-7F8C-4A7F-91EA-69F6E3595A06\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:vert.x:3.5.0:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"9C190477-C1D6-4F22-BDCB-ED6B9B592F5F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:vert.x:3.5.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2543DA32-484A-4A29-B31F-63C9FBD1257D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:vert.x:3.5.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BA23A643-E54E-4367-BA97-A7693F6D72D5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:vert.x:3.5.2:cr1:*:*:*:*:*:*\", \"matchCriteriaId\": \"66A46B71-DD57-4399-B277-2F56E1FB2A0B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:vert.x:3.5.2:cr2:*:*:*:*:*:*\", \"matchCriteriaId\": \"D504CD1D-FF99-480E-AD59-71CD4C258926\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:vert.x:3.5.2:cr3:*:*:*:*:*:*\", \"matchCriteriaId\": \"740C51B1-69BD-4520-9405-4ED67F505440\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:vert.x:3.5.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"402E12D6-A40F-4576-BE82-B58813A39EEC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:vert.x:3.5.3:cr1:*:*:*:*:*:*\", \"matchCriteriaId\": \"A2822E1C-48FB-4110-BF27-75186613EFA1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.\"}, {\"lang\": \"es\", \"value\": \"De la versi\\u00f3n 3.5.Beta1 a la 3.5.3 de Eclipse Vert.x, el validador de tipos XML OpenAPI crea analizadores XML sin las medidas defensivas adecuadas contra ataques XML. Este mecanismo es exclusivo a cuando el desarrollador emplea el validador de tipos XML OpenAPI de Eclipse Vert.x para validar un esquema proporcionado.\"}]",
      "id": "CVE-2018-12544",
      "lastModified": "2024-11-21T03:45:24.490",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2018-10-10T20:29:00.710",
      "references": "[{\"url\": \"https://access.redhat.com/errata/RHSA-2018:2946\", \"source\": \"emo@eclipse.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568\", \"source\": \"emo@eclipse.org\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/vert-x3/vertx-web/issues/1021\", \"source\": \"emo@eclipse.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E\", \"source\": \"emo@eclipse.org\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2946\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/vert-x3/vertx-web/issues/1021\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "emo@eclipse.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"emo@eclipse.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-12544\",\"sourceIdentifier\":\"emo@eclipse.org\",\"published\":\"2018-10-10T20:29:00.710\",\"lastModified\":\"2024-11-21T03:45:24.490\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.\"},{\"lang\":\"es\",\"value\":\"De la versi\u00f3n 3.5.Beta1 a la 3.5.3 de Eclipse Vert.x, el validador de tipos XML OpenAPI crea analizadores XML sin las medidas defensivas adecuadas contra ataques XML. Este mecanismo es exclusivo a cuando el desarrollador emplea el validador de tipos XML OpenAPI de Eclipse Vert.x para validar un esquema proporcionado.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:vert.x:3.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B578D87B-7F8C-4A7F-91EA-69F6E3595A06\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:vert.x:3.5.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"9C190477-C1D6-4F22-BDCB-ED6B9B592F5F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:vert.x:3.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2543DA32-484A-4A29-B31F-63C9FBD1257D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:vert.x:3.5.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BA23A643-E54E-4367-BA97-A7693F6D72D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:vert.x:3.5.2:cr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"66A46B71-DD57-4399-B277-2F56E1FB2A0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:vert.x:3.5.2:cr2:*:*:*:*:*:*\",\"matchCriteriaId\":\"D504CD1D-FF99-480E-AD59-71CD4C258926\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:vert.x:3.5.2:cr3:*:*:*:*:*:*\",\"matchCriteriaId\":\"740C51B1-69BD-4520-9405-4ED67F505440\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:vert.x:3.5.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"402E12D6-A40F-4576-BE82-B58813A39EEC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:vert.x:3.5.3:cr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2822E1C-48FB-4110-BF27-75186613EFA1\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2946\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/vert-x3/vertx-web/issues/1021\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2946\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/vert-x3/vertx-web/issues/1021\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

CNVD-2019-43399

Vulnerability from cnvd - Published: 2019-12-03

Title

Eclipse Vert.xXML外部实体注入漏洞

Description

Eclipse Vert.x是Eclipse基金会的一个用于在JVM上构建响应式应用程序的工具包，它主要用于构建网络实用程序、Web应用程序、HTTP/REST微服务等应用程序。 Eclipse Vert.x中的‘isValid’函数存在XML外部实体注入漏洞。目前没有详细的漏洞细节提供。

Severity

高

Patch Name

Eclipse Vert.xXML外部实体注入漏洞的补丁

Patch Description

Eclipse Vert.x是Eclipse基金会的一个用于在JVM上构建响应式应用程序的工具包，它主要用于构建网络实用程序、Web应用程序、HTTP/REST微服务等应用程序。 Eclipse Vert.x中的‘isValid’函数存在XML外部实体注入漏洞。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568

Reference

https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568

Impacted products

Name
Eclipse Vert.x >=3.5.Beta1，<=3.5.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-12544",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12544"
    }
  },
  "description": "Eclipse Vert.x\u662fEclipse\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u7528\u4e8e\u5728JVM\u4e0a\u6784\u5efa\u54cd\u5e94\u5f0f\u5e94\u7528\u7a0b\u5e8f\u7684\u5de5\u5177\u5305\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u6784\u5efa\u7f51\u7edc\u5b9e\u7528\u7a0b\u5e8f\u3001Web\u5e94\u7528\u7a0b\u5e8f\u3001HTTP/REST\u5fae\u670d\u52a1\u7b49\u5e94\u7528\u7a0b\u5e8f\u3002\n\nEclipse Vert.x\u4e2d\u7684\u2018isValid\u2019\u51fd\u6570\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://bugs.eclipse.org/bugs/show_bug.cgi?id=539568",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-43399",
  "openTime": "2019-12-03",
  "patchDescription": "Eclipse Vert.x\u662fEclipse\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u7528\u4e8e\u5728JVM\u4e0a\u6784\u5efa\u54cd\u5e94\u5f0f\u5e94\u7528\u7a0b\u5e8f\u7684\u5de5\u5177\u5305\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u6784\u5efa\u7f51\u7edc\u5b9e\u7528\u7a0b\u5e8f\u3001Web\u5e94\u7528\u7a0b\u5e8f\u3001HTTP/REST\u5fae\u670d\u52a1\u7b49\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nEclipse Vert.x\u4e2d\u7684\u2018isValid\u2019\u51fd\u6570\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Eclipse Vert.xXML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Eclipse Vert.x  \u003e=3.5.Beta1\uff0c\u003c=3.5.3"
  },
  "referenceLink": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568",
  "serverity": "\u9ad8",
  "submitTime": "2018-10-12",
  "title": "Eclipse Vert.xXML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e"
}

RHSA-2018_2946

Vulnerability from csaf_redhat - Published: 2018-10-18 08:14 - Updated: 2024-11-15 00:35

Summary

Red Hat Security Advisory: Red Hat OpenShift Application Runtimes security and bug fix update

Notes

Topic

An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat Openshift Application Runtimes provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. The RHOAR Eclipse Vert.x 3.5.4 release serves as a replacement for RHOAR Eclipse Vert.x 3.5.3, and includes bug fixes and enhancements. For a detailed list of issues resolved in the community Eclipse Vert.x 3.5.4 release, see the release notes in the References section. Security Fix(es): * vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake (CVE-2018-12541) * vertx: API Validation XML Schemas do not forbid file system access (CVE-2018-12544) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat OpenShift Application Runtimes.\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Openshift Application Runtimes provides an application platform\nthat reduces the complexity of developing and operating applications\n(monoliths and microservices) for OpenShift as a containerized platform.\n\nThe RHOAR Eclipse Vert.x 3.5.4 release serves as a replacement for RHOAR Eclipse Vert.x 3.5.3, and includes bug fixes and enhancements. For a detailed list of issues resolved in the community Eclipse Vert.x 3.5.4 release, see the release notes in the References section.\n\nSecurity Fix(es):\n\n* vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake (CVE-2018-12541)\n\n* vertx: API Validation XML Schemas do not forbid file system access (CVE-2018-12544)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2018:2946",
        "url": "https://access.redhat.com/errata/RHSA-2018:2946"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.eclipse.vertx\u0026version=3.5.4",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.eclipse.vertx\u0026version=3.5.4"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html-single/red_hat_openshift_application_runtimes_release_notes/",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html-single/red_hat_openshift_application_runtimes_release_notes/"
      },
      {
        "category": "external",
        "summary": "1638384",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1638384"
      },
      {
        "category": "external",
        "summary": "1638391",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1638391"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2946.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat OpenShift Application Runtimes security and bug fix update",
    "tracking": {
      "current_release_date": "2024-11-15T00:35:44+00:00",
      "generator": {
        "date": "2024-11-15T00:35:44+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2018:2946",
      "initial_release_date": "2018-10-18T08:14:41+00:00",
      "revision_history": [
        {
          "date": "2018-10-18T08:14:41+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2018-10-18T08:14:41+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T00:35:44+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Text-Only RHOAR",
                "product": {
                  "name": "Text-Only RHOAR",
                  "product_id": "Text-Only RHOAR",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Application Runtimes"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-12541",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2018-10-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1638391"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP response with the 413 status code and the connection gets closed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Text-Only RHOAR"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-12541"
        },
        {
          "category": "external",
          "summary": "RHBZ#1638391",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1638391"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-12541",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-12541"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12541",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12541"
        }
      ],
      "release_date": "2018-10-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2018-10-18T08:14:41+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Text-Only RHOAR"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2018:2946"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Text-Only RHOAR"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake"
    },
    {
      "cve": "CVE-2018-12544",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2018-10-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1638384"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "vertx: API Validation XML Schemas do not forbid file system access",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Text-Only RHOAR"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-12544"
        },
        {
          "category": "external",
          "summary": "RHBZ#1638384",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1638384"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-12544",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-12544"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12544",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12544"
        }
      ],
      "release_date": "2018-09-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2018-10-18T08:14:41+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Text-Only RHOAR"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2018:2946"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "Text-Only RHOAR"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "vertx: API Validation XML Schemas do not forbid file system access"
    }
  ]
}

RHSA-2018:2946

Vulnerability from csaf_redhat - Published: 2018-10-18 08:14 - Updated: 2025-11-21 18:06

Summary

Red Hat Security Advisory: Red Hat OpenShift Application Runtimes security and bug fix update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat OpenShift Application Runtimes.\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Openshift Application Runtimes provides an application platform\nthat reduces the complexity of developing and operating applications\n(monoliths and microservices) for OpenShift as a containerized platform.\n\nThe RHOAR Eclipse Vert.x 3.5.4 release serves as a replacement for RHOAR Eclipse Vert.x 3.5.3, and includes bug fixes and enhancements. For a detailed list of issues resolved in the community Eclipse Vert.x 3.5.4 release, see the release notes in the References section.\n\nSecurity Fix(es):\n\n* vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake (CVE-2018-12541)\n\n* vertx: API Validation XML Schemas do not forbid file system access (CVE-2018-12544)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2018:2946",
        "url": "https://access.redhat.com/errata/RHSA-2018:2946"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.eclipse.vertx\u0026version=3.5.4",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.eclipse.vertx\u0026version=3.5.4"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html-single/red_hat_openshift_application_runtimes_release_notes/",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html-single/red_hat_openshift_application_runtimes_release_notes/"
      },
      {
        "category": "external",
        "summary": "1638384",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1638384"
      },
      {
        "category": "external",
        "summary": "1638391",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1638391"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2946.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat OpenShift Application Runtimes security and bug fix update",
    "tracking": {
      "current_release_date": "2025-11-21T18:06:21+00:00",
      "generator": {
        "date": "2025-11-21T18:06:21+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2018:2946",
      "initial_release_date": "2018-10-18T08:14:41+00:00",
      "revision_history": [
        {
          "date": "2018-10-18T08:14:41+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2018-10-18T08:14:41+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T18:06:21+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Text-Only RHOAR",
                "product": {
                  "name": "Text-Only RHOAR",
                  "product_id": "Text-Only RHOAR",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Application Runtimes"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-12541",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2018-10-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1638391"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP response with the 413 status code and the connection gets closed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Text-Only RHOAR"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-12541"
        },
        {
          "category": "external",
          "summary": "RHBZ#1638391",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1638391"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-12541",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-12541"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12541",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12541"
        }
      ],
      "release_date": "2018-10-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2018-10-18T08:14:41+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Text-Only RHOAR"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2018:2946"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Text-Only RHOAR"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake"
    },
    {
      "cve": "CVE-2018-12544",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2018-10-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1638384"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "vertx: API Validation XML Schemas do not forbid file system access",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Text-Only RHOAR"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-12544"
        },
        {
          "category": "external",
          "summary": "RHBZ#1638384",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1638384"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-12544",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-12544"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12544",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12544"
        }
      ],
      "release_date": "2018-09-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2018-10-18T08:14:41+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Text-Only RHOAR"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2018:2946"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "Text-Only RHOAR"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "vertx: API Validation XML Schemas do not forbid file system access"
    }
  ]
}

GHSA-QH3M-QW6V-QVHG

Vulnerability from github – Published: 2018-10-17 16:20 – Updated: 2024-03-04 20:46

Summary

Moderate severity vulnerability that affects io.vertx:vertx-core

Details

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.vertx:vertx-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5.0"
            },
            {
              "fixed": "3.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-12544"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:51:57Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.",
  "id": "GHSA-qh3m-qw6v-qvhg",
  "modified": "2024-03-04T20:46:26Z",
  "published": "2018-10-17T16:20:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12544"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vert-x3/vertx-web/issues/1021"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vert-x3/vertx-web/commit/ac8692c618d6180a9bc012a2ac8dbec821b1a97"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2946"
    },
    {
      "type": "WEB",
      "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-qh3m-qw6v-qvhg"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Moderate severity vulnerability that affects io.vertx:vertx-core"
}

FKIE_CVE-2018-12544

Vulnerability from fkie_nvd - Published: 2018-10-10 20:29 - Updated: 2024-11-21 03:45

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
emo@eclipse.org	https://access.redhat.com/errata/RHSA-2018:2946	Third Party Advisory
emo@eclipse.org	https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568	Issue Tracking, Patch, Vendor Advisory
emo@eclipse.org	https://github.com/vert-x3/vertx-web/issues/1021	Patch, Third Party Advisory
emo@eclipse.org	https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2018:2946	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568	Issue Tracking, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vert-x3/vertx-web/issues/1021	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E

Impacted products

Vendor	Product	Version
eclipse	vert.x	3.5.0
eclipse	vert.x	3.5.0
eclipse	vert.x	3.5.1
eclipse	vert.x	3.5.2
eclipse	vert.x	3.5.2
eclipse	vert.x	3.5.2
eclipse	vert.x	3.5.2
eclipse	vert.x	3.5.3
eclipse	vert.x	3.5.3

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:eclipse:vert.x:3.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B578D87B-7F8C-4A7F-91EA-69F6E3595A06",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:vert.x:3.5.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "9C190477-C1D6-4F22-BDCB-ED6B9B592F5F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:vert.x:3.5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "2543DA32-484A-4A29-B31F-63C9FBD1257D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:vert.x:3.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "BA23A643-E54E-4367-BA97-A7693F6D72D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:vert.x:3.5.2:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "66A46B71-DD57-4399-B277-2F56E1FB2A0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:vert.x:3.5.2:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "D504CD1D-FF99-480E-AD59-71CD4C258926",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:vert.x:3.5.2:cr3:*:*:*:*:*:*",
              "matchCriteriaId": "740C51B1-69BD-4520-9405-4ED67F505440",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:vert.x:3.5.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "402E12D6-A40F-4576-BE82-B58813A39EEC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:vert.x:3.5.3:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "A2822E1C-48FB-4110-BF27-75186613EFA1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema."
    },
    {
      "lang": "es",
      "value": "De la versi\u00f3n 3.5.Beta1 a la 3.5.3 de Eclipse Vert.x, el validador de tipos XML OpenAPI crea analizadores XML sin las medidas defensivas adecuadas contra ataques XML. Este mecanismo es exclusivo a cuando el desarrollador emplea el validador de tipos XML OpenAPI de Eclipse Vert.x para validar un esquema proporcionado."
    }
  ],
  "id": "CVE-2018-12544",
  "lastModified": "2024-11-21T03:45:24.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-10-10T20:29:00.710",
  "references": [
    {
      "source": "emo@eclipse.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:2946"
    },
    {
      "source": "emo@eclipse.org",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568"
    },
    {
      "source": "emo@eclipse.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/vert-x3/vertx-web/issues/1021"
    },
    {
      "source": "emo@eclipse.org",
      "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:2946"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/vert-x3/vertx-web/issues/1021"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
    }
  ],
  "sourceIdentifier": "emo@eclipse.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "emo@eclipse.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2018-12544

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-12544

Aliases

CVE-2018-12544

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-12544",
    "description": "In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.",
    "id": "GSD-2018-12544",
    "references": [
      "https://access.redhat.com/errata/RHSA-2018:2946"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-12544"
      ],
      "details": "In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.",
      "id": "GSD-2018-12544",
      "modified": "2023-12-13T01:22:30.657479Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@eclipse.org",
        "ID": "CVE-2018-12544",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Eclipse Vert.x",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003e=",
                          "version_value": "3.5.0"
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_value": "3.5.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "The Eclipse Foundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-611: Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "RHSA-2018:2946",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:2946"
          },
          {
            "name": "https://github.com/vert-x3/vertx-web/issues/1021",
            "refsource": "CONFIRM",
            "url": "https://github.com/vert-x3/vertx-web/issues/1021"
          },
          {
            "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568",
            "refsource": "CONFIRM",
            "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568"
          },
          {
            "name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[3.5.0,3.5.4)",
          "affected_versions": "All versions starting from 3.5.0 before 3.5.4",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-611",
            "CWE-937"
          ],
          "date": "2021-01-08",
          "description": "In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.",
          "fixed_versions": [
            "3.5.4"
          ],
          "identifier": "CVE-2018-12544",
          "identifiers": [
            "GHSA-qh3m-qw6v-qvhg",
            "CVE-2018-12544"
          ],
          "not_impacted": "All versions before 3.5.0, all versions starting from 3.5.4",
          "package_slug": "maven/io.vertx/vertx-core",
          "pubdate": "2018-10-17",
          "solution": "Upgrade to version 3.5.4 or above.",
          "title": "Improper Restriction of XML External Entity Reference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2018-12544",
            "https://github.com/vert-x3/vertx-web/issues/1021",
            "https://github.com/advisories/GHSA-qh3m-qw6v-qvhg"
          ],
          "uuid": "6466681c-6311-4b40-9c59-eedf1aee6868"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:eclipse:vert.x:3.5.2:cr2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:eclipse:vert.x:3.5.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:eclipse:vert.x:3.5.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:eclipse:vert.x:3.5.0:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:eclipse:vert.x:3.5.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:eclipse:vert.x:3.5.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:eclipse:vert.x:3.5.2:cr1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:eclipse:vert.x:3.5.2:cr3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:eclipse:vert.x:3.5.3:cr1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@eclipse.org",
          "ID": "CVE-2018-12544"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-611"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/vert-x3/vertx-web/issues/1021",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/vert-x3/vertx-web/issues/1021"
            },
            {
              "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568"
            },
            {
              "name": "RHSA-2018:2946",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2946"
            },
            {
              "name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-12-16T06:15Z",
      "publishedDate": "2018-10-10T20:29Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-12544 (GCVE-0-2018-12544)

CNVD-2019-43399

RHSA-2018_2946

RHSA-2018:2946

GHSA-QH3M-QW6V-QVHG

FKIE_CVE-2018-12544

GSD-2018-12544

Tags

Sightings

Nomenclature