CVE-2018-11788 is a vulnerability in Apache Karaf
Published on January 7, 2019
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.
Products Associated with CVE-2018-11788
Want to know whenever a new CVE is published for Apache Karaf? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Karaf Version Any Apache Karaf version prior to 4.1.7 and 4.2.2 is affected by CVE-2018-11788Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.