CVE-2018-1311

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 18-12-2019 09:15

Last modified: - 05-04-2022 10:34

Total changes: - 4

Description

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

High

Attack complexity

Network

Attack vector

High

Availability

High

Confidentiality

High

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

8.1

Base score

2.2

5.9

Exploitability score

Impact score

Verification logic

vendor=apache AND product=xerces-c AND versionEndIncluding=3.2.3 AND versionStartIncluding=3.0.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_desktop AND version=6.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_desktop AND version=7.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_eus AND version=7.7

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server AND version=6.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server AND version=7.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_aus AND version=7.7

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_tus AND version=7.7

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_workstation AND version=6.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_workstation AND version=7.0

vendor=Debian AND product=debian_linux AND version=9.0

vendor=Debian AND product=debian_linux AND version=10.0

vendor=oracle AND product=goldengate AND versionEndExcluding=21.4.0.0.0

Reference

https://marc.info/?l=xerces-c-users&m=157653840106914&w=2
[xerces-c-dev] 20200110 [xerces-c] 06/13: Add CVE-2018-1311 advisory and web site note.-Mitigation, Third Party Advisory
RHSA-2020:0704-Third Party Advisory
RHSA-2020:0702-Third Party Advisory
[debian-lts-announce] 20201217 [SECURITY] [DLA 2498-1] xerces-c security update-Mailing List, Third Party Advisory
DSA-4814-Third Party Advisory
[xerces-c-users] 20210528 Security vulnerability - CVE-2018-1311-Mailing List, Third Party Advisory
[xerces-c-users] 20210528 RE: Security vulnerability - CVE-2018-1311-Mailing List, Third Party Advisory
[xerces-c-users] 20210528 Re: Security vulnerability - CVE-2018-1311-Mailing List, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Keywords

CVE-2018-1311

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2018-1311

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures