CVE-2018-1000822: XML External Entity (XXE) vulnerability in codelibs fess
10
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.47758%
CWE
Published
12/20/2018
Updated
1/9/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.codelibs.fess:fess | maven | < 12.3.2 | 12.3.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure XML parsing in the GSA XML file parser. The GitHub issue (#1851) and 0dd.zone report explicitly point to AdminBackupAction.java
triggering GsaConfigParser.parse()
for GSA XML files. While AdminBackupAction.java
is the entry point, the root cause is in GsaConfigParser
's implementation. The use of SAXParserFactory
without disabling external entities (as indicated in the GitHub issue description) directly enables XXE. The confidence is high because multiple sources confirm the GSA parser's role, and XXE vulnerabilities in SAXParser
are well-understood in this context.