Apache Karaf Hot Deploy Feature XML External Entity Injection Vulnerability



A vulnerability in Apache Karaf could allow an unauthenticated, remote attacker to gain access to sensitive information or consume memory resources on a targeted system.

The vulnerability is due to improper processing of XML data by the hot deploy feature of the affected software. An attacker could exploit this vulnerability by persuading a user to open an XML file that submits malicious input to the targeted system. A successful exploit could cause an XML External Entity (XXE) injection attack, allowing the attacker to gain access to sensitive information or consume memory resources on the targeted system.

Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.

Apache confirmed the vulnerability and released software updates.

Security Impact Rating: Medium

CVE: CVE-2018-11788

Source:: Cisco Multivendor Vulnerability Alerts