CVE-2018-12544

CRITICAL

Eclipse Vert.x <3.5.4 - SSRF

Title source: llm

Description

In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.

Exploits (2)

nomisec WORKING POC

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2018-12544-vertx-web-vulnerable

View Code ZIP pw:eip

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2018-12544-vertx-web-vulnerable

View Code ZIP pw:eip

References (4)

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:2946

[Issue Tracking, Patch, Vendor Advisory] https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568

[Patch, Third Party Advisory] https://github.com/vert-x3/vertx-web/issues/1021

[Mailing List] https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0062

EPSS Percentile 70.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-611

Status published

Products (5)

eclipse/vert.x 3.5.0 (2 CPE variants)

eclipse/vert.x 3.5.1

eclipse/vert.x 3.5.2 (4 CPE variants)

eclipse/vert.x 3.5.3 (2 CPE variants)

io.vertx/vertx-core 3.5.0 - 3.5.4Maven

Published Oct 10, 2018

Tracked Since Feb 18, 2026