What is CVE-2019-0228?

CVE-2019-0228 is a critical-severity vulnerability in Apache James, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 9.8/10. Published 2019-04-17.

How severe is CVE-2019-0228?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2019-0228 known to be exploited?

8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XXE in Apache James

CVE-2019-0228

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

Vulnerability class: XXE (XML External Entity)

EPSS: 0.095 (94.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Apache James — versions 3.3.0, 3.4.0
Apache Pdfbox — versions 2.0.14
Oracle Banking_corporate_lending_process_management — versions 14.2, 14.3, 14.5
Oracle Banking_credit_facilities_process_management — versions 14.2, 14.3, 14.5
Oracle Banking_supply_chain_finance — versions 14.2, 14.3, 14.5
Oracle Banking_trade_finance_process_management — versions 14.2, 14.3, 14.5
Oracle Banking_virtual_account_management — versions 14.2, 14.3.0, 14.5
Oracle Communications_messaging_server — versions 8.1
Oracle Communications_session_report_manager
Oracle Hyperion_financial_reporting — versions 11.1.2.4, 11.2.6.0

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

Public proof-of-concept exploits

References

security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (x_refsource_FEDORA, vendor-advisory)
security@apache.org (x_refsource_FEDORA, vendor-advisory)
security@apache.org (Third Party Advisory, x_refsource_MISC)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (Third Party Advisory, x_refsource_MISC)
security@apache.org (x_refsource_MISC)

Frequently asked questions

What is CVE-2019-0228?: CVE-2019-0228 is a critical-severity vulnerability in Apache James, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 9.8/10. Published 2019-04-17.
How severe is CVE-2019-0228?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2019-0228 known to be exploited?: 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.