Vulnerability Details : CVE-2019-9658
Checkstyle before 8.18 loads external DTDs by default.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2019-9658
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:a:checkstyle:checkstyle:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-9658
0.65%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-9658
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2019-9658
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-9658
-
https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E
svn commit: r1882168 - /nifi/site/trunk/security.html - Pony Mail
-
https://github.com/checkstyle/checkstyle/issues/6474
Disable loading external DTDs by default, create system property to activate it · Issue #6474 · checkstyle/checkstyle · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJPT54USMGWT3Y6XVXLDEHKRUY2EI4OE/
[SECURITY] Fedora 29 Update: checkstyle-8.0-4.1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/994221405e940e148adcfd9cb24ffc6700bed70c7820c55a22559d26@%3Cnotifications.fluo.apache.org%3E
Pony Mail!
-
https://lists.apache.org/thread.html/6bf8bbbca826e883f09ba40bc0d319350e1d6d4cf4df7c9e399b2699@%3Ccommits.fluo.apache.org%3E
[fluo] branch fluo-parent updated: Update checkstyle (CVE-2019-9658) (#1073) - Pony Mail
-
https://github.com/checkstyle/checkstyle/issues/6478
Remove DTDs from http://checkstyle.sourceforge.net and from http://puppycrawl.com/ · Issue #6478 · checkstyle/checkstyle · GitHubThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/04/msg00029.html
[SECURITY] [DLA 1768-1] checkstyle security updateThird Party Advisory
-
https://lists.apache.org/thread.html/a35a8ccb316d4c2340710f610cba8058e87d5376259b35ef3ed2bf89@%3Cnotifications.accumulo.apache.org%3E
Pony Mail!
-
https://lists.apache.org/thread.html/fff26ee7b59360a0264fef4e8ed9454ef652db2c39f2892a9ea1c9cb@%3Cnotifications.fluo.apache.org%3E
[GitHub] [fluo] ctubbsii merged pull request #1073: Update checkstyle (CVE-2019-9658) - Pony Mail
-
https://github.com/checkstyle/checkstyle/pull/6476
Issue #6474: disable external dtd load by default by romani · Pull Request #6476 · checkstyle/checkstyle · GitHubThird Party Advisory
-
https://lists.apache.org/thread.html/7eea10e7be4c21060cb1e79f6524c6e6559ba833b1465cd2870a56b9@%3Cserver-dev.james.apache.org%3E
[james-project] 01/03: JAMES-2693 Update com.puppycrawl.tools:checkstyle to respond to CVE-2019-9658 - Pony MailMailing List;Patch;Third Party Advisory
-
https://checkstyle.org/releasenotes.html#Release_8.18
checkstyle – Release NotesRelease Notes;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEYBAHYAV37WHMOXZYM2ZWF46FHON6YC/
[SECURITY] Fedora 28 Update: checkstyle-8.0-4.1.fc28 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMOPJ2XYE4LB2HM7OMSUBBIYEDUTLWE/
[SECURITY] Fedora 30 Update: checkstyle-8.0-7.fc30 - package-announce - Fedora Mailing-Lists
Jump to