4.0.0

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

eclipse

CWE-611

NVD

Published: 2019-04-09

Updated: 2019-10-09

Summary

In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser initialisation.

Vulnerable Configurations

Part	Description	Count
Application	Eclipse Eclipse Kura 2.0.2 Eclipse Kura 4.0.0	2

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

http://www.securityfocus.com/bid/107844
https://bugs.eclipse.org/bugs/show_bug.cgi?id=545835