CVE-2018-12544

CRITICAL

Eclipse Vert.x <3.5.4 - SSRF

Title source: llm

Description

In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.

Exploits (1)

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2018-12544-vertx-web-vulnerable

View Code ZIP pw:eip

References (4)

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:2946

[Issue Tracking, Patch, Vendor Advisory] https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568

[Patch, Third Party Advisory] https://github.com/vert-x3/vertx-web/issues/1021

[Mailing List] https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0062

EPSS Percentile 69.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-611

Status published

Affected Products (10)

eclipse/vert.x

eclipse/vert.x

eclipse/vert.x

eclipse/vert.x

eclipse/vert.x

eclipse/vert.x

eclipse/vert.x

eclipse/vert.x

eclipse/vert.x

io.vertx/vertx-core < 3.5.4Maven

Timeline

Published Oct 10, 2018

Tracked Since Feb 18, 2026