exist-db:exist-core XML External Entity (XXE) vulnerability · CVE-2018-1000823 · GitHub Advisory Database · GitHub

exist-db:exist-core XML External Entity (XXE) vulnerability

Critical severity GitHub Reviewed Published Dec 20, 2018 to the GitHub Advisory Database • Updated Jan 11, 2023

Package

org.exist-db:exist-core (Maven)

Affected versions

< 5.1.0

Patched versions

5.1.0

Description

exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.

References

Published to the GitHub Advisory Database Dec 20, 2018

Reviewed Jun 16, 2020

Last updated Jan 11, 2023

Severity

Critical

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H