CVE-2018-17186

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-17186

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17186.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2018-17186

Aliases

GHSA-qfjv-998w-q48f

Published

2018-11-06T20:29:00Z

Modified

2024-10-12T03:16:31.595382Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.

References

https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions

Affected packages

Git / github.com/apache/syncope

Affected ranges

Type: GIT
Repo: https://github.com/apache/syncope
Events: Introduced

49c2e53ba6baf1423a89b5ab9a24aa665a5780ad

Last affected

aa29d59ac7506942d72833e178ea9f7e0c81182b

Introduced

973afc777d2f8093785875c62e808d97334fb2e3

Last affected

bb22b39ca3e770858e4162521d93a59f1cb7b70a

Affected versions

syncope-2.*

syncope-2.0.0

syncope-2.0.1

syncope-2.0.10

syncope-2.0.11

syncope-2.0.2

syncope-2.0.3

syncope-2.0.4

syncope-2.0.5

syncope-2.0.6

syncope-2.0.7

syncope-2.0.8

syncope-2.0.9

syncope-2.1.0

syncope-2.1.1

syncope-2.1.2