Vulnerabilities > CVE-2018-20000 - XXE vulnerability in Apereo Bw-Webdav

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

apereo

CWE-611

NVD

Published: 2018-12-10

Updated: 2019-01-24

Summary

Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java.

Vulnerable Configurations

Part	Description	Count
Application	Apereo Apereo BW Webdav 3.4.1 Apereo BW Webdav 4.0.0 Apereo BW Webdav 4.0.1 Apereo BW Webdav 4.0.2	4

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://github.com/Bedework/bw-webdav/pull/1
https://github.com/Bedework/bw-webdav/compare/bw-webdav-4.0.2...bw-webdav-4.0.3