CVE-2018-1000069 - OpenCVE

FreePlane version 1.5.9 and earlier contains a XML External Entity (XXE) vulnerability in XML Parser in mindmap loader that can result in stealing data from victim's machine. This attack appears to require the victim to open a specially crafted mind map file. This vulnerability appears to have been fixed in 1.6+.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Freeplane	Freeplane

Configuration 1 [-]

cpe:2.3:a:freeplane:freeplane:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

No data.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2018/03/msg00019.html
https://www.debian.org/security/2018/dsa-4175
https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser
https://www.youtube.com/watch?v=7IXtiTNilAI

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-03-13T15:00:00

Updated: 2024-08-05T12:33:49.078Z

Reserved: 2018-02-21T00:00:00

Link: CVE-2018-1000069

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-03-13T15:29:00.207

Modified: 2019-03-14T17:31:50.387

Link: CVE-2018-1000069

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-02-08T00:00:00", "datePublic": "2018-03-13T00:00:00", "descriptions": [{"lang": "en", "value": "FreePlane version 1.5.9 and earlier contains a XML External Entity (XXE) vulnerability in XML Parser in mindmap loader that can result in stealing data from victim's machine. This attack appears to require the victim to open a specially crafted mind map file. This vulnerability appears to have been fixed in 1.6+."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-04-19T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[debian-lts-announce] 20180324 [SECURITY] [DLA 1316-1] freeplane security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00019.html"}, {"name": "DSA-4175", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4175"}, {"tags": ["x_refsource_MISC"], "url": "https://www.youtube.com/watch?v=7IXtiTNilAI"}, {"tags": ["x_refsource_MISC"], "url": "https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2/8/2018 5:47:33", "ID": "CVE-2018-1000069", "REQUESTER": "wojciech.regula@securing.pl", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "FreePlane version 1.5.9 and earlier contains a XML External Entity (XXE) vulnerability in XML Parser in mindmap loader that can result in stealing data from victim's machine. This attack appears to require the victim to open a specially crafted mind map file. This vulnerability appears to have been fixed in 1.6+."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[debian-lts-announce] 20180324 [SECURITY] [DLA 1316-1] freeplane security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00019.html"}, {"name": "DSA-4175", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4175"}, {"name": "https://www.youtube.com/watch?v=7IXtiTNilAI", "refsource": "MISC", "url": "https://www.youtube.com/watch?v=7IXtiTNilAI"}, {"name": "https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser", "refsource": "MISC", "url": "https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:33:49.078Z"}, "title": "CVE Program Container", "references": [{"name": "[debian-lts-announce] 20180324 [SECURITY] [DLA 1316-1] freeplane security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00019.html"}, {"name": "DSA-4175", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4175"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.youtube.com/watch?v=7IXtiTNilAI"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000069", "datePublished": "2018-03-13T15:00:00", "dateReserved": "2018-02-21T00:00:00", "dateUpdated": "2024-08-05T12:33:49.078Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freeplane:freeplane:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F9A466F-71A4-4357-9667-9823A2B1E301", "versionEndIncluding": "1.5.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FreePlane version 1.5.9 and earlier contains a XML External Entity (XXE) vulnerability in XML Parser in mindmap loader that can result in stealing data from victim's machine. This attack appears to require the victim to open a specially crafted mind map file. This vulnerability appears to have been fixed in 1.6+."}, {"lang": "es", "value": "FreePlane, en su versi\u00f3n 1.5.9 y anteriores, contiene una vulnerabilidad de XEE (XML External Entity) en el analizador XML en el cargador mindmap que puede dar como resultado el robo de datos de la m\u00e1quina de la v\u00edctima. Parece que este ataque requiere que la v\u00edctima abra un archivo mindmap especialmente manipulado. Esta vulnerabilidad parece haber sido solucionada en las versiones posteriores a 1.6."}], "id": "CVE-2018-1000069", "lastModified": "2019-03-14T17:31:50.387", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-13T15:29:00.207", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00019.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4175"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.youtube.com/watch?v=7IXtiTNilAI"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}