CVE-2018-1000644

描述

Eclipse RDF4j version < 2.4.0 Milestone 2 contains a XML External Entity (XXE) vulnerability in RDF4j XML parser parsing RDF files that can result in the disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted RDF file.

如何修補 CVE-2018-1000644

要修補 CVE-2018-1000644,請將受影響套件升級到下列已修補版本。

• —升級至 2.4.0 或更新版本

CVE-2018-1000644 正在被利用嗎?

低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 2.4.0

CVSS 分數

參考連結(5)

• ADVISORYgithub.com/advisories/GHSA-6xq8-pvg4-3mf3
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000644
• PATCHgithub.com/eclipse/rdf4j
• WEB0dd.zone/2018/08/05/rdf4j-XXE
• WEBgithub.com/eclipse/rdf4j/issues/1056