1544034 – (CVE-2018-1307) CVE-2018-1307 juddi-client: XML Entity Expansion in WADL2Java or WSDL2Java classes

Bug 1544034 (CVE-2018-1307) - CVE-2018-1307 juddi-client: XML Entity Expansion in WADL2Java or WSDL2Java classes

Summary: CVE-2018-1307 juddi-client: XML Entity Expansion in WADL2Java or WSDL2Java cl...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2018-1307
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1544035
TreeView+	depends on / blocked

Reported:	2018-02-09 22:43 UTC by Laura Pardo
Modified:	2021-02-17 00:50 UTC (History)
CC List:	41 users (show)
Fixed In Version:	juddi-client 3.3.5
Clone Of:
Environment:
Last Closed:	2018-04-22 23:13:47 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-02-09 22:43:06 UTC

A flaw was found in Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. 

References:
http://juddi.apache.org/security.html
https://issues.apache.org/jira/browse/JUDDI-987

Patch:
https://git-wip-us.apache.org/repos/asf?p=juddi.git;h=248b39c

Comment 2 Chess Hazlett 2018-04-22 23:14:06 UTC

Statement:

No Red Hat products are affected by CVE-2018-1307.

Note You need to log in before you can comment on or make changes to this bug.

aileenc
apintea
bkundal
bmaxwell
cdewolf
chazlett
csutherl
darran.lofthouse
dimitris
dosoudil
fgavrilo
gvarsami
hghasemb
jawilson
jcoleman
jondruse
jshepherd
kconner
krathod
ldimaggi
lgao
loleary
myarboro
nwallace
pavelp
pgier
pjurak
ppalaga
psakar
pslavice
rnetuka
rstancel
rsvoboda
rwagner
spinder
sstavrev
tcunning
theute
tkirby
twalsh
vtunka