CVE-2019-18212 — MEDIUM (6.5)

Q: How severe is CVE-2019-18212?

CVE-2019-18212 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-18212?

Check the references section above for vendor advisories and patch information. Affected products include: Xml Language Server Project Xml Server Project, Eclipse Wild Web Developer, Theia Xml Extension Project Theia Xml Extension.

Vulnerability Description

XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Xml Language Server Project	Xml Server Project	< 0.9.1
Eclipse	Wild Web Developer	-
Theia Xml Extension Project	Theia Xml Extension	-

Related Weaknesses (CWE)

CWE-22

References

https://github.com/angelozerr/lsp4xml/Product
https://github.com/angelozerr/lsp4xml/blob/master/CHANGELOG.md#othersRelease NotesThird Party Advisory
https://github.com/angelozerr/lsp4xml/pull/567PatchThird Party Advisory
https://github.com/redhat-developer/vscode-xml/PatchThird Party Advisory
https://marketplace.visualstudio.com/items?itemName=redhat.vscode-xmlThird Party Advisory
https://www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vsExploitThird Party Advisory
https://github.com/angelozerr/lsp4xml/Product
https://github.com/angelozerr/lsp4xml/blob/master/CHANGELOG.md#othersRelease NotesThird Party Advisory
https://github.com/angelozerr/lsp4xml/pull/567PatchThird Party Advisory
https://github.com/redhat-developer/vscode-xml/PatchThird Party Advisory
https://marketplace.visualstudio.com/items?itemName=redhat.vscode-xmlThird Party Advisory
https://www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vsExploitThird Party Advisory

FAQ

What is CVE-2019-18212?

CVE-2019-18212 is a vulnerability with a CVSS score of 6.5 (MEDIUM). XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote a...

How severe is CVE-2019-18212?

CVE-2019-18212 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-18212?

Check the references section above for vendor advisories and patch information. Affected products include: Xml Language Server Project Xml Server Project, Eclipse Wild Web Developer, Theia Xml Extension Project Theia Xml Extension.