VYPR
← All advisories
Unrated severityOSV Advisory· Published Jun 26, 2018· Updated Aug 5, 2024

CVE-2018-1000546

CVE-2018-1000546

Description

Triplea version <= 1.9.0.0.10291 contains a XML External Entity (XXE) vulnerability in Importing game data that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted game data file (XML).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Triplea Game/TripleaOSV2 versions
    1.8.0.10.1006, 1.8.0.10.1007, 1.8.0.10.1009, …+ 1 more
    • (no CPE)range: 1.8.0.10.1006, 1.8.0.10.1007, 1.8.0.10.1009, …
    • (no CPE)range: <=1.9.0.0.10291

Patches

Vulnerability mechanics

Root cause

"The XML parser used by TripleA is not securely configured, allowing external entity expansion."

Attack vector

An attacker can craft a malicious XML game data file containing a reference to an external entity. This file can then be shared with another user. When the victim loads this specially crafted file on a game server, the vulnerable XML parser will process the external entity. This can lead to information disclosure, server-side request forgery, or remote code execution, depending on the parser's configuration and the system's capabilities [ref_id=1].

Affected code

The vulnerability occurs in the `GameParser.java` file within the `games.strategy.engine.data` package. Specifically, the XML parser is created using `factory.newDocumentBuilder()` on line 300 and the input is parsed on line 319 with `builder.parse(input, system)` [ref_id=1].

What the fix does

The advisory does not specify any patches or fixes. The recommended remediation is to disable external entity processing in the XML parser. This prevents the parser from fetching and processing external resources, thereby mitigating XXE vulnerabilities [ref_id=1].

Preconditions

  • inputAttacker must provide a specially crafted XML game data file.
  • networkThe attacker shares the malicious file with a victim.

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.