CVE-2019-9658 - Checkstyle before 8.18 loads external DTDs by default.

CVE-2019-9658

Summary

Checkstyle before 8.18 loads external DTDs by default.

References

Vulnerable Configurations

cpe:2.3:a:checkstyle:checkstyle:8.11:*:*:*:*:*:*:*
cpe:2.3:a:checkstyle:checkstyle:8.11:*:*:*:*:*:*:*
cpe:2.3:a:checkstyle:checkstyle:8.12:*:*:*:*:*:*:*
cpe:2.3:a:checkstyle:checkstyle:8.12:*:*:*:*:*:*:*
cpe:2.3:a:checkstyle:checkstyle:8.13:*:*:*:*:*:*:*
cpe:2.3:a:checkstyle:checkstyle:8.13:*:*:*:*:*:*:*
cpe:2.3:a:checkstyle:checkstyle:8.14:*:*:*:*:*:*:*
cpe:2.3:a:checkstyle:checkstyle:8.14:*:*:*:*:*:*:*
cpe:2.3:a:checkstyle:checkstyle:8.15:*:*:*:*:*:*:*
cpe:2.3:a:checkstyle:checkstyle:8.15:*:*:*:*:*:*:*
cpe:2.3:a:checkstyle:checkstyle:8.16:*:*:*:*:*:*:*
cpe:2.3:a:checkstyle:checkstyle:8.16:*:*:*:*:*:*:*
cpe:2.3:a:checkstyle:checkstyle:8.17:*:*:*:*:*:*:*
cpe:2.3:a:checkstyle:checkstyle:8.17:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

CVSS

CWE

CAPEC

XML External Entities Blowup
This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

refmap via4

fedora	FEDORA-2019-4696630d6f FEDORA-2019-a3f67e2364 FEDORA-2019-e4405b4c9f
misc	https://checkstyle.org/releasenotes.html#Release_8.18 https://github.com/checkstyle/checkstyle/issues/6474 https://github.com/checkstyle/checkstyle/issues/6478 https://github.com/checkstyle/checkstyle/pull/6476
mlist	[accumulo-notifications] 20190612 [GitHub] [accumulo-testing] milleruntime opened a new pull request #80: Update checkstyle [debian-lts-announce] 20190428 [SECURITY] [DLA 1768-1] checkstyle security update [fluo-commits] 20190814 [fluo] branch fluo-parent updated: Update checkstyle (CVE-2019-9658) (#1073) [fluo-notifications] 20190814 [GitHub] [fluo] ctubbsii merged pull request #1073: Update checkstyle (CVE-2019-9658) [fluo-notifications] 20190815 Build failed in Jenkins: Fluo Parent Pom #101 [james-server-dev] 20190318 [james-project] 01/03: JAMES-2693 Update com.puppycrawl.tools:checkstyle to respond to CVE-2019-9658 [nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html

Last major update

01-10-2020 - 00:15

Published

11-03-2019 - 05:29

Last modified

01-10-2020 - 00:15