CVE-2018-1000823 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2018-1000823

CVE-2018-1000823

December 20, 2018

exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.

Affected Packages

org.exist-db:exist-core (JAVA):

Affected version(s) >=5.0.0-RC8 <5.1.0

Fix Suggestion:

Update to version 5.1.0

Related Resources (10)

https://github.com/eXist-db/exist

https://nvd.nist.gov/vuln/detail/CVE-2018-1000823

https://github.com/eXist-db/exist/commit/b210f9fbf379b68842f2b055dda80d7e7479e96f

https://0dd.zone/2018/10/27/exist-XXE

https://0dd.zone/2018/10/27/exist-XXE/

https://github.com/eXist-db/exist/pull/2243

https://github.com/eXist-db/exist/pull/2247

https://github.com/advisories/GHSA-jxm5-5xcw-h57q

https://github.com/eXist-db/exist/commit/1c3f0aec14d00bdbca175713af70cb7c7b868e9f

https://github.com/eXist-db/exist/issues/2180

Do you need more information?

CVSS v4

Base Score:

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

HIGH

Subsequent System Integrity

HIGH

Subsequent System Availability

HIGH

CVSS v3

Base Score:

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

CVSS v2

Base Score:

7.5

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference

CWE-611

EPSS

Base Score:

0.24

Products

Solutions

Resources

Company

Compare

Developer Tools