Improper Restriction of XML External Entity Reference in pippo-core · CVE-2018-20059 · GitHub Advisory Database · GitHub

Improper Restriction of XML External Entity Reference in pippo-core

Critical severity GitHub Reviewed Published Dec 19, 2018 to the GitHub Advisory Database • Updated Mar 4, 2024

Package

ro.pippo:pippo-core (Maven)

Affected versions

< 1.12.0

Patched versions

1.12.0

Description

jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.

References

Published to the GitHub Advisory Database Dec 19, 2018

Reviewed Jun 16, 2020

Last updated Mar 4, 2024

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H