WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2018-1000836 Vulnerability in maven package org.bedework.caleng:bw-calendar-engine-impl

Description

bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.

Remediation

References

https://0dd.zone/2018/10/28/bw-calendar-engine-XXE-MitM/

https://github.com/Bedework/bw-calendar-engine/issues/3

Related Vulnerabilities

CVE-2023-42795 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2018-3755 Vulnerability in npm package sexstatic

CVE-2022-4520 Vulnerability in maven package org.wso2.carbon.registry:org.wso2.carbon.registry.search.ui

CVE-2020-35202 Vulnerability in maven package org.igniterealtime.openfire.plugins:dbaccess

CVE-2016-5682 Vulnerability in maven package org.webjars:swagger-ui

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Tags

Third Party Advisory