{"containers": {"cna": {"affected": [{"product": "Apache jUDDI", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "3.2 to 3.3.4"}]}], "datePublic": "2017-11-10T00:00:00", "descriptions": [{"lang": "en", "value": "In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5."}], "problemTypes": [{"descriptions": [{"description": "XML Entity Expansion", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-09T18:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://issues.apache.org/jira/browse/JUDDI-987"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://juddi.apache.org/security.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2017-11-10T00:00:00", "ID": "CVE-2018-1307", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache jUDDI", "version": {"version_data": [{"version_value": "3.2 to 3.3.4"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XML Entity Expansion"}]}]}, "references": {"reference_data": [{"name": "https://issues.apache.org/jira/browse/JUDDI-987", "refsource": "CONFIRM", "url": "https://issues.apache.org/jira/browse/JUDDI-987"}, {"name": "http://juddi.apache.org/security.html", "refsource": "CONFIRM", "url": "http://juddi.apache.org/security.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:59:38.780Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.apache.org/jira/browse/JUDDI-987"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://juddi.apache.org/security.html"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-1307", "datePublished": "2018-02-09T19:00:00Z", "dateReserved": "2017-12-07T00:00:00", "dateUpdated": "2024-09-16T19:24:28.480Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:juddi:*:*:*:*:*:*:*:*", "matchCriteriaId": "B35A9FEC-8DEA-4BA1-B62A-9C66A4C01408", "versionEndIncluding": "3.3.4", "versionStartIncluding": "3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5."}, {"lang": "es", "value": "En Apache jUDDI 3.2 hasta 3.3.4, si se usan las clases WADL2Java o WSDL2Java, que analizan un documento XML local o remoto y luego convierten las estructuras de datos en estructuras de datos UDDI, hay pocas protecciones contra ataques de expansi\u00f3n de entidad y DTD. La soluci\u00f3n es emplear la versi\u00f3n 3.3.5."}], "id": "CVE-2018-1307", "lastModified": "2018-03-08T16:36:43.637", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-09T19:29:00.227", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "http://juddi.apache.org/security.html"}, {"source": "security@apache.org", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/JUDDI-987"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "juddi-client: XML Entity Expansion in WADL2Java or WSDL2Java classes", "id": "1544034", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1544034"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-776", "details": ["In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5."], "name": "CVE-2018-1307", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "juddi-client", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "juddi-client", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Not affected", "package_name": "juddi-client", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6", "fix_state": "Not affected", "package_name": "juddi-client", "product_name": "Red Hat JBoss Portal 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Not affected", "package_name": "juddi-client", "product_name": "Red Hat JBoss SOA Platform 5"}], "public_date": "2017-11-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1307\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1307"], "statement": "No Red Hat products are affected by CVE-2018-1307.", "threat_severity": "Low", "upstream_fix": "juddi-client 3.3.5"}