CVE-2018-11788 — XML External Entity Reference in Apache Karaf

Description

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

How to fix CVE-2018-11788

To remediate CVE-2018-11788, upgrade the affected package to a fixed version below.

—upgrade to 4.2.2 or later

Is CVE-2018-11788 being exploited?

Moderate — EPSS is 24.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 4.2.0, < 4.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-11788
PATCHgithub.com/apache/karaf
WEBkaraf.apache.org/security/cve-2018-11788.txt
WEBgithub.com/apache/karaf/commit/0c36c50bc158739c8fc8543122a6740c54adafca