Lucene search

[email protected]NVD:CVE-2018-1311

HistoryDec 18, 2019 - 8:15 p.m.

CVE-2018-1311

2019-12-1820:15:15

CWE-416

[email protected]

web.nvd.nist.gov

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

High

0.014 Low

EPSS

Percentile

86.6%

JSON

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

Affected configurations

NVD

Node

apachexerces-c\+\+Range3.0.0–3.2.5

Node

redhatenterprise_linux_desktopMatch6.0

redhatenterprise_linux_desktopMatch7.0

redhatenterprise_linux_eusMatch7.7

redhatenterprise_linux_serverMatch6.0

redhatenterprise_linux_serverMatch7.0

redhatenterprise_linux_server_ausMatch7.7

redhatenterprise_linux_server_tusMatch7.7

redhatenterprise_linux_workstationMatch6.0

redhatenterprise_linux_workstationMatch7.0

Node

debiandebian_linuxMatch9.0

debiandebian_linuxMatch10.0

Node

oraclegoldengateRange<21.4.0.0.0

Node

fedoraprojectfedoraMatch38

fedoraprojectfedoraMatch39

References

www.openwall.com/lists/oss-security/2024/02/16/1

access.redhat.com/errata/RHSA-2020:0702

access.redhat.com/errata/RHSA-2020:0704

lists.apache.org/thread.html/r48ea463fde218b1e4cc1a1d05770a0cea34de0600b4355315a49226b%40%3Cc-dev.xerces.apache.org%3E

lists.apache.org/thread.html/r90ec105571622a7dc3a43b846c12732d2e563561dfb2f72941625f35%40%3Cc-users.xerces.apache.org%3E

lists.apache.org/thread.html/rabbcc0249de1dda70cda96fd9bcff78217be7a57d96e7dcc8cd96646%40%3Cc-users.xerces.apache.org%3E

lists.apache.org/thread.html/rfeb8abe36bcca91eb603deef49fbbe46870918830a66328a780b8625%40%3Cc-users.xerces.apache.org%3E

lists.debian.org/debian-lts-announce/2020/12/msg00025.html

lists.debian.org/debian-lts-announce/2023/12/msg00027.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A6WWL4SWKAVYK6VK5YN7KZP4MZWC7IY/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD/

marc.info/?l=xerces-c-users&m=157653840106914&w=2

www.debian.org/security/2020/dsa-4814

www.oracle.com/security-alerts/cpujan2022.html

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

High

0.014 Low

EPSS

Percentile

86.6%

JSON

Related for NVD:CVE-2018-1311