What is the severity of CVE-2018-11758?

CVE-2018-11758 is classified as having a medium severity due to its potential for remote code execution if exploited.

How do I fix CVE-2018-11758?

To mitigate CVE-2018-11758, upgrade Apache Cayenne to version 4.1.M2 or later, which addresses this vulnerability.

What is affected by CVE-2018-11758?

CVE-2018-11758 affects multiple versions of Apache Cayenne, specifically 4.1.M1, 3.2.M1, and various 4.0 milestone and beta versions.

How does CVE-2018-11758 work?

CVE-2018-11758 can be exploited when an attacker deceives a user into opening a malicious XML file within the CayenneModeler tool.

Who is impacted by CVE-2018-11758?

Users of Apache Cayenne, particularly those using the CayenneModeler desktop GUI tool, are at risk if they are on affected versions.

Vulnerability/
CVE-2018-11758

high

8.1

CWE

611

22/8/2018

5/8/2024

CVE-2018-11758: XEE

First published: Wed Aug 22 2018(Updated: )

This affects Apache Cayenne 4.1.M1, 3.2.M1, 4.0.M2 to 4.0.M5, 4.0.B1, 4.0.B2, 4.0.RC1, 3.1, 3.1.1, 3.1.2. CayenneModeler is a desktop GUI tool shipped with Apache Cayenne and intended for editing Cayenne ORM models stored as XML files. If an attacker tricks a user of CayenneModeler into opening a malicious XML file, the attacker will be able to instruct the XML parser built into CayenneModeler to transfer files from a local machine to a remote machine controlled by the attacker. The cause of the issue is XML parser processing XML External Entity (XXE) declarations included in XML. The vulnerability is addressed in Cayenne by disabling XXE processing in all operations that require XML parsing.

Credit: security@apache.org

Affected Software	Affected Version	How to fix
Apache Cayenne	<=3.1.0
Apache Cayenne	=3.1.1
Apache Cayenne	=3.1.2
Apache Cayenne	=3.2-milestone1
Apache Cayenne	=4.0-beta1
Apache Cayenne	=4.0-beta2
Apache Cayenne	=4.0-milestone2
Apache Cayenne	=4.0-milestone3
Apache Cayenne	=4.0-milestone4
Apache Cayenne	=4.0-milestone5
Apache Cayenne	=4.0-rc1
Apache Cayenne	=4.1-milestone1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2018-11758?
CVE-2018-11758 is classified as having a medium severity due to its potential for remote code execution if exploited.
How do I fix CVE-2018-11758?
To mitigate CVE-2018-11758, upgrade Apache Cayenne to version 4.1.M2 or later, which addresses this vulnerability.
What is affected by CVE-2018-11758?
CVE-2018-11758 affects multiple versions of Apache Cayenne, specifically 4.1.M1, 3.2.M1, and various 4.0 milestone and beta versions.
How does CVE-2018-11758 work?
CVE-2018-11758 can be exploited when an attacker deceives a user into opening a malicious XML file within the CayenneModeler tool.
Who is impacted by CVE-2018-11758?
Users of Apache Cayenne, particularly those using the CayenneModeler desktop GUI tool, are at risk if they are on affected versions.

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/references
agent/severity
agent/weakness
agent/last-modified-date
agent/author
agent/description
agent/first-publish-date
agent/event
agent/tags
agent/source
vendor/apache
canonical/apache cayenne
version/apache cayenne/3.1.0
version/apache cayenne/3.1.1
version/apache cayenne/3.1.2
version/apache cayenne/3.2-milestone1
version/apache cayenne/4.0-beta1
version/apache cayenne/4.0-beta2
version/apache cayenne/4.0-milestone2
version/apache cayenne/4.0-milestone3
version/apache cayenne/4.0-milestone4
version/apache cayenne/4.0-milestone5
version/apache cayenne/4.0-rc1
version/apache cayenne/4.1-milestone1