CVE Vulnerabilities

CVE-2018-20843

Improper Restriction of XML External Entity Reference

Published: Jun 24, 2019 | Modified: Nov 21, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
7.8 HIGH
AV:N/AC:L/Au:N/C:N/I:N/A:C
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
LOW

In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).

Weakness

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Affected Software

Name Vendor Start Version End Version
Libexpat Libexpat_project * 2.2.7 (excluding)
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-curl-0:7.64.1-36.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-mod_jk-0:1.2.48-4.redhat_1.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el6 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-curl-0:7.64.1-36.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_jk-0:1.2.48-4.redhat_1.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-openssl-pkcs11-0:0.4.10-7.jbcs.el7 *
Red Hat Enterprise Linux 7 RedHat expat-0:2.1.0-12.el7 *
Red Hat Enterprise Linux 8 RedHat mingw-expat-0:2.2.4-5.el8 *
Red Hat Enterprise Linux 8 RedHat expat-0:2.2.5-4.el8 *
Red Hat OpenShift Do RedHat openshiftdo/odo-init-image-rhel7:1.1.3-2 *
Text-Only JBCS RedHat expat *
Apache2 Ubuntu trusty *
Apr-util Ubuntu trusty *
Audacity Ubuntu kinetic *
Audacity Ubuntu lunar *
Audacity Ubuntu mantic *
Audacity Ubuntu trusty *
Ayttm Ubuntu trusty *
Ayttm Ubuntu xenial *
Cableswig Ubuntu trusty *
Cableswig Ubuntu xenial *
Cadaver Ubuntu bionic *
Cadaver Ubuntu cosmic *
Cadaver Ubuntu disco *
Cadaver Ubuntu eoan *
Cadaver Ubuntu groovy *
Cadaver Ubuntu hirsute *
Cadaver Ubuntu impish *
Cadaver Ubuntu kinetic *
Cadaver Ubuntu lunar *
Cadaver Ubuntu mantic *
Cadaver Ubuntu trusty *
Cadaver Ubuntu xenial *
Cmake Ubuntu trusty *
Coin3 Ubuntu bionic *
Coin3 Ubuntu cosmic *
Coin3 Ubuntu disco *
Coin3 Ubuntu eoan *
Coin3 Ubuntu esm-apps/bionic *
Coin3 Ubuntu esm-apps/xenial *
Coin3 Ubuntu esm-infra-legacy/trusty *
Coin3 Ubuntu groovy *
Coin3 Ubuntu trusty *
Coin3 Ubuntu trusty/esm *
Coin3 Ubuntu xenial *
Expat Ubuntu bionic *
Expat Ubuntu cosmic *
Expat Ubuntu devel *
Expat Ubuntu disco *
Expat Ubuntu eoan *
Expat Ubuntu focal *
Expat Ubuntu groovy *
Expat Ubuntu hirsute *
Expat Ubuntu impish *
Expat Ubuntu jammy *
Expat Ubuntu kinetic *
Expat Ubuntu lunar *
Expat Ubuntu mantic *
Expat Ubuntu noble *
Expat Ubuntu oracular *
Expat Ubuntu trusty *
Expat Ubuntu trusty/esm *
Expat Ubuntu upstream *
Expat Ubuntu xenial *
Firefox Ubuntu cosmic *
Firefox Ubuntu disco *
Firefox Ubuntu trusty *
Gdcm Ubuntu trusty *
Ghostscript Ubuntu trusty *
Insighttoolkit Ubuntu trusty *
Insighttoolkit Ubuntu xenial *
Insighttoolkit4 Ubuntu esm-apps/xenial *
Insighttoolkit4 Ubuntu trusty *
Insighttoolkit4 Ubuntu xenial *
Libxmltok Ubuntu bionic *
Libxmltok Ubuntu devel *
Libxmltok Ubuntu esm-apps/bionic *
Libxmltok Ubuntu esm-apps/focal *
Libxmltok Ubuntu esm-apps/jammy *
Libxmltok Ubuntu esm-apps/noble *
Libxmltok Ubuntu esm-apps/xenial *
Libxmltok Ubuntu focal *
Libxmltok Ubuntu hirsute *
Libxmltok Ubuntu impish *
Libxmltok Ubuntu jammy *
Libxmltok Ubuntu kinetic *
Libxmltok Ubuntu lunar *
Libxmltok Ubuntu mantic *
Libxmltok Ubuntu noble *
Libxmltok Ubuntu oracular *
Libxmltok Ubuntu trusty *
Libxmltok Ubuntu upstream *
Libxmltok Ubuntu xenial *
Matanza Ubuntu bionic *
Matanza Ubuntu cosmic *
Matanza Ubuntu devel *
Matanza Ubuntu disco *
Matanza Ubuntu eoan *
Matanza Ubuntu esm-apps/bionic *
Matanza Ubuntu esm-apps/focal *
Matanza Ubuntu esm-apps/jammy *
Matanza Ubuntu esm-apps/noble *
Matanza Ubuntu esm-apps/xenial *
Matanza Ubuntu focal *
Matanza Ubuntu groovy *
Matanza Ubuntu hirsute *
Matanza Ubuntu impish *
Matanza Ubuntu jammy *
Matanza Ubuntu kinetic *
Matanza Ubuntu lunar *
Matanza Ubuntu mantic *
Matanza Ubuntu noble *
Matanza Ubuntu oracular *
Matanza Ubuntu trusty *
Matanza Ubuntu xenial *
Poco Ubuntu trusty *
Simgear Ubuntu trusty *
Sitecopy Ubuntu trusty *
Smart Ubuntu trusty *
Swish-e Ubuntu bionic *
Swish-e Ubuntu cosmic *
Swish-e Ubuntu disco *
Swish-e Ubuntu eoan *
Swish-e Ubuntu groovy *
Swish-e Ubuntu hirsute *
Swish-e Ubuntu impish *
Swish-e Ubuntu kinetic *
Swish-e Ubuntu lunar *
Swish-e Ubuntu mantic *
Swish-e Ubuntu trusty *
Swish-e Ubuntu xenial *
Tdom Ubuntu cosmic *
Tdom Ubuntu trusty *
Texlive-bin Ubuntu trusty *
Thunderbird Ubuntu cosmic *
Thunderbird Ubuntu disco *
Thunderbird Ubuntu trusty *
Vnc4 Ubuntu bionic *
Vnc4 Ubuntu cosmic *
Vnc4 Ubuntu esm-apps/bionic *
Vnc4 Ubuntu esm-apps/xenial *
Vnc4 Ubuntu esm-infra-legacy/trusty *
Vnc4 Ubuntu trusty *
Vnc4 Ubuntu trusty/esm *
Vnc4 Ubuntu upstream *
Vnc4 Ubuntu xenial *
Vtk Ubuntu esm-apps/xenial *
Vtk Ubuntu trusty *
Vtk Ubuntu trusty/esm *
Vtk Ubuntu xenial *
Wbxml2 Ubuntu trusty *
Wxwidgets2.8 Ubuntu trusty *
Xmlrpc-c Ubuntu bionic *
Xmlrpc-c Ubuntu cosmic *
Xmlrpc-c Ubuntu disco *
Xmlrpc-c Ubuntu eoan *
Xmlrpc-c Ubuntu groovy *
Xmlrpc-c Ubuntu hirsute *
Xmlrpc-c Ubuntu impish *
Xmlrpc-c Ubuntu kinetic *
Xmlrpc-c Ubuntu lunar *
Xmlrpc-c Ubuntu mantic *
Xmlrpc-c Ubuntu trusty *
Xmlrpc-c Ubuntu trusty/esm *
Xmlrpc-c Ubuntu xenial *

Extended Description

XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. The XML parser can access the contents of this URI and embed these contents back into the XML document for further processing. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. For example, a URI such as “file:///c:/winnt/win.ini” designates (in Windows) the file C:\Winnt\win.ini, or file:///etc/passwd designates the password file in Unix-based systems. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents.

Potential Mitigations

References