CVE-2018-1000828
Last modified
CVE-2018-1000828 is a critical-severity vulnerability rated 9/10 on the CVSS scale. FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a XML External Entity (XXE) vulnerability in Man in the middle on update that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the middle the call to update the software.. EPSS estimates a 1.33% chance of exploitation in the next 30 days.
Description
FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a XML External Entity (XXE) vulnerability in Man in the middle on update that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the middle the call to update the software.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Frostwire | Frostwire | 1.9.9 | Build246 |
| Frostwire | Frostwire | 2.0.7 | Build263 |
| Frostwire | Frostwire | 6.1.6 | Build166 |
| Frostwire | Frostwire | 6.1.7 | Build168 |
| Frostwire | Frostwire | 6.1.8 | Build169 |
| Frostwire | Frostwire | 6.1.9 | Build172 |
| Frostwire | Frostwire | 6.2.0 | Build173 |
| Frostwire | Frostwire | 6.2.1 | Build175 |
| Frostwire | Frostwire | 6.2.2 | Build176 |
| Frostwire | Frostwire | 6.2.3 | Build177 |
| Frostwire | Frostwire | 6.2.4 | Build179 |
| Frostwire | Frostwire | 6.3.0 | Build180 |
| Frostwire | Frostwire | 6.3.1 | Build186 |
| Frostwire | Frostwire | 6.3.2 | Build187 |
| Frostwire | Frostwire | 6.3.3 | Build189 |
| Frostwire | Frostwire | 6.3.4 | Build193 |
| Frostwire | Frostwire | 6.3.5 | Build195 |
| Frostwire | Frostwire | 6.3.6 | Build201 |
| Frostwire | Frostwire | 6.3.7 | Build203 |
| Frostwire | Frostwire | 6.4.0 | Build207 |
| Frostwire | Frostwire | 6.4.1 | Build209 |
| Frostwire | Frostwire | 6.4.2 | Build212 |
| Frostwire | Frostwire | 6.4.3 | Build214 |
| Frostwire | Frostwire | 6.4.4 | Build215 |
| Frostwire | Frostwire | 6.4.5 | Build218 |
| Frostwire | Frostwire | 6.4.6 | Build223 |
| Frostwire | Frostwire | 6.4.7 | Build228 |
| Frostwire | Frostwire | 6.4.8 | Build230 |
| Frostwire | Frostwire | 6.4.9 | Build235 |
| Frostwire | Frostwire | 6.5.0 | Build236 |
| Frostwire | Frostwire | 6.5.1 | Build238 |
| Frostwire | Frostwire | 6.5.2 | Build239 |
| Frostwire | Frostwire | 6.5.3 | Build240 |
| Frostwire | Frostwire | 6.5.4 | Build241 |
| Frostwire | Frostwire | 6.5.5 | Build242 |
| Frostwire | Frostwire | 6.5.8 | Build244 |
| Frostwire | Frostwire | 6.5.9 | Build246 |
| Frostwire | Frostwire | 6.6.0 | Build248 |
| Frostwire | Frostwire | 6.6.1 | Build249 |
| Frostwire | Frostwire | 6.6.2 | Build250 |
| Frostwire | Frostwire | 6.6.3 | Build252 |
| Frostwire | Frostwire | 6.6.4 | Build256 |
| Frostwire | Frostwire | 6.6.5 | Build257 |
| Frostwire | Frostwire | 6.6.6 | Build258 |
| Frostwire | Frostwire | 6.6.7 | Build529 |
| Frostwire | Frostwire | 6.6.8 | Build260 |
| Frostwire | Frostwire | 6.7.0 | Build261 |
| Frostwire | Frostwire | 6.7.1 | Build266 |
| Frostwire | Frostwire | 6.7.2 | Build269 |
| Frostwire | Frostwire | 6.7.3 | Build271 |
Showing 50 of 51 affected configurations. See NVD for the full list.
References
- https://0dd.zone/2018/10/28/frostwire-XXE-MitM/Third Party Advisory
- https://github.com/frostwire/frostwire/issues/829Issue Tracking, Third Party Advisory
- https://0dd.zone/2018/10/28/frostwire-XXE-MitM/Third Party Advisory
- https://github.com/frostwire/frostwire/issues/829Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-1000828?
How severe is CVE-2018-1000828?
How do I fix CVE-2018-1000828?
Are you affected by CVE-2018-1000828?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST