CVE-2018-1000836 – org.bedework.caleng:bw-calendar-engine

Package

Manager: maven
Name: org.bedework.caleng:bw-calendar-engine
Vulnerable Version: >=0 <=3.12.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00292 pctl0.5216

Details

XML External Entity (XXE) vulnerability in bw-calendar-engine bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.

Metadata

Created: 2018-12-20T22:02:51Z
Modified: 2022-09-14T22:23:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-xmvg-w4f9-99r7/GHSA-xmvg-w4f9-99r7.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-xmvg-w4f9-99r7
Finding: F083
Auto approve: 1