539568 – (CVE-2018-12544) The OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks

Bug 539568 (CVE-2018-12544) - The OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks

Summary: The OpenAPI XML type validator creates XML parsers without taking appropriate...

Status:	RESOLVED FIXED

Alias:	CVE-2018-12544

Product:	Community
Classification:	Eclipse Foundation
Component:	Vulnerability Reports (show other bugs)
Version:	unspecified
Hardware:	PC Mac OS X

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Security vulnerabilitied reported against Eclipse projects
QA Contact:

URL:	https://cve.mitre.org/cgi-bin/cvename...
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2018-09-27 10:21 EDT by Julien Viet
Modified:	2019-02-01 12:13 EST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julien Viet

2018-09-27 10:21:51 EDT

I am requesting a CVE, the details will be provided later as a comment.

Comment 1 Wayne Beaton

2018-09-27 11:12:20 EDT

Let's use CVE-2018-12544

Comment 2 Julien Viet

2018-10-03 03:31:43 EDT

here are the CVE info:

   - description: The OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Vert.x OpenAPI XML type validator to validate a provided schema.
    - versions: 3.5.0.Beta1, 3.5.0, 3.5.1, 3.5.2.CR1, 3.5.2.CR2, 3.5.2.CR3, 3.5.2, 3.5.3
    - CWE category: https://cwe.mitre.org/data/definitions/611.html
    - https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568


This has been fixed in 3.5.4, here is the corresponding project issue https://github.com/vert-x3/vertx-web/issues/1021