CVE-2018-1000652

CRITICAL

JabRef <= 4.3.1 - XML External Entity Injection in MsBibImporter XML Parser

Title source: llm
STIX 2.1

Description

JabRef version <=4.3.1 contains a XML External Entity (XXE) vulnerability in MsBibImporter XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted MsBib file. This vulnerability appears to have been fixed in after commit 89f855d.

References (2)

Core 2
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://github.com/JabRef/jabref/issues/4229
Third Party Advisory x_refsource_misc
https://0dd.zone/2018/08/08/JabRef-XXE/

Scores

CVSS v3 10.0
EPSS 0.0194
EPSS Percentile 77.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE
CWE-611
Status published
Products (1)
jabref/jabref < 4.3.1
Published Aug 20, 2018
Tracked Since Feb 18, 2026