CVE-2018-17186

HIGH7.2EPSS 0.56%

Improper Restriction of XML External Entity Reference in org.apache.syncope:syncope-core

發布日:2018/11/6修改日:2024/3/4

描述

An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.

受影響套件(1)

Maven/org.apache.syncope:syncope-corefrom 0, < 2.0.11

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.2	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://github.com/advisories/GHSA-qfjv-998w-q48f
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-17186
WEBhttps://github.com/apache/syncope/commit/a0f35f45f8ca5c98853ae8477fb2db81a84709a
WEBhttps://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions