CVE-2018-12544: XEE
First published: Wed Oct 10 2018(Updated: )
In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.
Credit: emo@eclipse.org emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Eclipse Vert.x | =3.5.0 | |
| Eclipse Vert.x | =3.5.0-beta1 | |
| Eclipse Vert.x | =3.5.1 | |
| Eclipse Vert.x | =3.5.2 | |
| Eclipse Vert.x | =3.5.2-cr1 | |
| Eclipse Vert.x | =3.5.2-cr2 | |
| Eclipse Vert.x | =3.5.2-cr3 | |
| Eclipse Vert.x | =3.5.3 | |
| Eclipse Vert.x | =3.5.3-cr1 | |
| redhat/vertx-web | <3.5.4 | 3.5.4 |
| maven/io.vertx:vertx-core | >=3.5.0<3.5.4 | 3.5.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2018:2946
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568
- https://github.com/vert-x3/vertx-web/issues/1021
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
- https://github.com/vert-x3/vertx-web/pull/1022/commits/d814d22ade14bafec47c4447a4ba9bff090f05e8
- https://github.com/vert-x3/vertx-web/pull/1022/commits/26db16c7b32e655b489d1a71605f9a785f788e41
- https://bugzilla.redhat.com/show_bug.cgi?id=1638384
- https://nvd.nist.gov/vuln/detail/CVE-2018-12544
- https://github.com/advisories/GHSA-qh3m-qw6v-qvhg (Advisory)
- https://github.com/vert-x3/vertx-web/commit/ac8692c618d6180a9bc012a2ac8dbec821b1a97
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
- collector/nvd-index
- agent/remedy
- agent/type
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-12544
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-qh3m-qw6v-qvhg
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/references
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/event
- agent/trending
- vendor/eclipse
- canonical/eclipse vert.x
- version/eclipse vert.x/3.5.0
- version/eclipse vert.x/3.5.0-beta1
- version/eclipse vert.x/3.5.1
- version/eclipse vert.x/3.5.2
- version/eclipse vert.x/3.5.2-cr1
- version/eclipse vert.x/3.5.2-cr2
- version/eclipse vert.x/3.5.2-cr3
- version/eclipse vert.x/3.5.3
- version/eclipse vert.x/3.5.3-cr1
- package-manager/redhat
- package-manager/maven