Use After Free in Apache Xerces-c\+\+
CVE-2018-1311
The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other tha…
Vulnerability class: Use-After-Free
EPSS: 0.096 (94.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Apache Xerces-c\+\+
- Apache Software Foundation Xerces-c — versions 3.0.0 to 3.2.2
- Oracle Goldengate
- Debian Debian_linux — versions 9.0, 10.0
- Fedoraproject Fedora — versions 38, 39
- Redhat Enterprise_linux_desktop — versions 6.0, 7.0
- Redhat Enterprise_linux_eus — versions 7.7
- Redhat Enterprise_linux_server — versions 6.0, 7.0
- Redhat Enterprise_linux_server_aus — versions 7.7
- Redhat Enterprise_linux_server_tus — versions 7.7
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security@apache.org (Vendor Advisory, mailing-list)
- security@apache.org (vendor-advisory, Third Party Advisory)
- security@apache.org (vendor-advisory, Third Party Advisory)
- security@apache.org (mailing-list, Mailing List, Third Party Advisory)
- security@apache.org (vendor-advisory, Third Party Advisory)
- security@apache.org (mailing-list, Issue Tracking)
- security@apache.org (mailing-list, Issue Tracking)
- security@apache.org (mailing-list, Issue Tracking)
- security@apache.org (Patch, Third Party Advisory)
- security@apache.org (Mailing List, Third Party Advisory)
Frequently asked questions
- What is CVE-2018-1311?
- CVE-2018-1311 is a high-severity vulnerability in Apache Xerces-c\+\+, classified under Use After Free. CVSS score: 8.1/10. Published 2019-12-18.
- How severe is CVE-2018-1311?
- High severity. CVSS v3 base score is 8.1 out of 10.
- Is CVE-2018-1311 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.