Vulnerability Name:

CVE-2019-9658 (CCN-158130)

Assigned:2019-02-24
Published:2019-02-24
Updated:2020-10-01
Summary:Checkstyle before 8.18 loads external DTDs by default.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-611
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2019-9658

Source: MISC
Type: Release Notes, Vendor Advisory
https://checkstyle.org/releasenotes.html#Release_8.18

Source: XF
Type: UNKNOWN
checkstyle-cve20199658-weak-security(158130)

Source: MISC
Type: Third Party Advisory
https://github.com/checkstyle/checkstyle/issues/6474

Source: MISC
Type: Third Party Advisory
https://github.com/checkstyle/checkstyle/issues/6478

Source: CCN
Type: Checkstyle GIT Repository
Issue #6474: disable external dtd load by default #6476

Source: MISC
Type: Third Party Advisory
https://github.com/checkstyle/checkstyle/pull/6476

Source: MLIST
Type: UNKNOWN
[fluo-commits] 20190814 [fluo] branch fluo-parent updated: Update checkstyle (CVE-2019-9658) (#1073)

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[james-server-dev] 20190318 [james-project] 01/03: JAMES-2693 Update com.puppycrawl.tools:checkstyle to respond to CVE-2019-9658

Source: MLIST
Type: UNKNOWN
[fluo-notifications] 20190815 Build failed in Jenkins: Fluo Parent Pom #101

Source: MLIST
Type: UNKNOWN
[accumulo-notifications] 20190612 [GitHub] [accumulo-testing] milleruntime opened a new pull request #80: Update checkstyle

Source: MLIST
Type: UNKNOWN
[fluo-notifications] 20190814 [GitHub] [fluo] ctubbsii merged pull request #1073: Update checkstyle (CVE-2019-9658)

Source: MLIST
Type: UNKNOWN
[nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html

Source: MLIST
Type: Third Party Advisory
[debian-lts-announce] 20190428 [SECURITY] [DLA 1768-1] checkstyle security update

Source: FEDORA
Type: UNKNOWN
FEDORA-2019-4696630d6f

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2019-a3f67e2364

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2019-e4405b4c9f

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-9658

Vulnerable Configuration:Configuration 1:
  • cpe:/a:checkstyle:checkstyle:*:*:*:*:*:*:*:* (Version < 8.18)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:fedoraproject:fedora:28:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:29:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:checkstyle:checkstyle:8.17:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.disco:def:201996580000000
    V
    		CVE-2019-9658 on Ubuntu 19.04 (disco) - medium.
    2019-03-11
    oval:com.ubuntu.bionic:def:20199658000
    V
    		CVE-2019-9658 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-03-11
    oval:com.ubuntu.cosmic:def:201996580000000
    V
    		CVE-2019-9658 on Ubuntu 18.10 (cosmic) - medium.
    2019-03-11
    oval:com.ubuntu.cosmic:def:20199658000
    V
    		CVE-2019-9658 on Ubuntu 18.10 (cosmic) - medium.
    2019-03-11
    oval:com.ubuntu.bionic:def:201996580000000
    V
    		CVE-2019-9658 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-03-11
    oval:com.ubuntu.trusty:def:20199658000
    V
    		CVE-2019-9658 on Ubuntu 14.04 LTS (trusty) - medium.
    2019-03-11
    oval:com.ubuntu.xenial:def:201996580000000
    V
    		CVE-2019-9658 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-03-11
    oval:com.ubuntu.xenial:def:20199658000
    V
    		CVE-2019-9658 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-03-11
    BACK
    checkstyle checkstyle *
    debian debian linux 8.0
    fedoraproject fedora 28
    fedoraproject fedora 29
    checkstyle checkstyle 8.17