Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 9 Feb 2018 10:58:08 -0500
From: "Alex O'Ree" <alexoree@...che.org>
To: user@...di.apache.org, dev@...di.apache.org, security@...che.org, 
	oss-security@...ts.openwall.com
Subject: [Security] CVE-2018-1307 XML Entity Expansion in juddi-client v3.2
 through 3.3.4

CVEID  CVE-2018-1307

VERSION:  3.2 through 3.3.4

PROBLEMTYPE: XML Entity Expansion

REFERENCES: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267

DISCRIPTION: If using the WADL2Java or WSDL2Java classes, which parse a
local or remote XML document and then mediates the data structures into
UDDI data structures, there are little protections present against entity
expansion and DTD type of attacks. This was fixed with
https://issues.apache.org/jira/browse/JUDDI-987

Severity: Moderate

Mitigation:

Update your juddi-client dependencies to 3.3.5 or newer and/or discontinue
use of the effected classes.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ