CVE-2018-17186

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2018-17186

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17186.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2018-17186

Aliases

GHSA-qfjv-998w-q48f

Published

2018-11-06T20:29:00.217Z

Modified

2026-05-15T06:58:32.430176Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.

References

https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions

Affected packages

Git / github.com/apache/syncope

Affected ranges

Type

GIT

Repo

https://github.com/apache/syncope

Events

Introduced

973afc777d2f8093785875c62e808d97334fb2e3

Last affected

bb22b39ca3e770858e4162521d93a59f1cb7b70a

Introduced

49c2e53ba6baf1423a89b5ab9a24aa665a5780ad

Last affected

aa29d59ac7506942d72833e178ea9f7e0c81182b

Database specific

{
    "source": "CPE_FIELD",
    "cpe": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "last_affected": "2.0.11"
        },
        {
            "introduced": "2.1.0"
        },
        {
            "last_affected": "2.1.2"
        }
    ]
}

Affected versions

syncope-2.*

syncope-2.0.0

syncope-2.0.1

syncope-2.0.10

syncope-2.0.11

syncope-2.0.2

syncope-2.0.3

syncope-2.0.4

syncope-2.0.5

syncope-2.0.6

syncope-2.0.7

syncope-2.0.8

syncope-2.0.9

syncope-2.1.0

syncope-2.1.1

syncope-2.1.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17186.json"