CVE-2018-1000825

NameCVE-2018-1000825
DescriptionFreeCol version <= nightly-2018-08-22 contains a XML External Entity (XXE) vulnerability in FreeColXMLReader parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Freecol file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs917023

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
freecol (PTS)jessie0.10.7+dfsg-3vulnerable
stretch0.11.6+dfsg-1vulnerable
buster, sid0.11.6+dfsg2-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
freecolsource(unstable)(unfixed)low917023
freecolsourcejessie(unfixed)end-of-life

Notes

[stretch] - freecol <no-dsa> (Minor issue)
[jessie] - freecol <end-of-life> (Games are not supported)
https://github.com/FreeCol/freecol/issues/26

Search for package or bug name: Reporting problems