Is CVE-2018-1311 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 10%.

What products does CVE-2018-1311 affect?

Tracked products affected include Fedora. Check the version you run to see whether it is affected.

How do I fix CVE-2018-1311?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

CVE-2018-1311

Q: What is CVE-2018-1311?

CVE-2018-1311 is a high-severity software vulnerability (Use-after-free) with a CVSS score of 8.1. The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than

HIGH severity · CVSS 8.1 · Use-after-free

8.1CVSS HIGH

Summary

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)10%

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Fedora

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
https://lists.apache.org/thread.html/r48ea463fde218b1e4cc1a1d05770a0cea34de0600b4355315a49226b%40%3Cc-dev.xerces.apache.org%3EAdvisory
http://www.openwall.com/lists/oss-security/2024/02/16/1Advisory
https://access.redhat.com/errata/RHSA-2020:0702Advisory
https://access.redhat.com/errata/RHSA-2020:0704Advisory
https://lists.apache.org/thread.html/r90ec105571622a7dc3a43b846c12732d2e563561dfb2f72941625f35%40%3Cc-users.xerces.apache.org%3E
https://lists.apache.org/thread.html/rabbcc0249de1dda70cda96fd9bcff78217be7a57d96e7dcc8cd96646%40%3Cc-users.xerces.apache.org%3E
https://lists.apache.org/thread.html/rfeb8abe36bcca91eb603deef49fbbe46870918830a66328a780b8625%40%3Cc-users.xerces.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/12/msg00025.htmlAdvisory