Vulnerability Details : CVE-2018-12544
In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2018-12544
- cpe:2.3:a:eclipse:vert.x:3.5.2:cr2:*:*:*:*:*:*
- cpe:2.3:a:eclipse:vert.x:3.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:eclipse:vert.x:3.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:eclipse:vert.x:3.5.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:eclipse:vert.x:3.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:eclipse:vert.x:3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:eclipse:vert.x:3.5.2:cr1:*:*:*:*:*:*
- cpe:2.3:a:eclipse:vert.x:3.5.2:cr3:*:*:*:*:*:*
- cpe:2.3:a:eclipse:vert.x:3.5.3:cr1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-12544
0.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-12544
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-12544
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by:
- emo@eclipse.org (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2018-12544
-
https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568
539568 – (CVE-2018-12544) The OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacksIssue Tracking;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list - Pony Mail
-
https://access.redhat.com/errata/RHSA-2018:2946
RHSA-2018:2946 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://github.com/vert-x3/vertx-web/issues/1021
API Validation XML Schemas do not forbid file system access (XXE) · Issue #1021 · vert-x3/vertx-web · GitHubPatch;Third Party Advisory
Jump to