Headline
CVE-2022-41967: fix: CVE-2022-41967 · HyperaDev/Dragonfly@9661375
Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML SNAPSHOT versions are being resolved, this vulnerability may be avoided by not trying to resolve SNAPSHOT versions.
Permalink
Browse files
fix: CVE-2022-41967
Dragonfly v0.3.0-SNAPSHOT fails to properly configure the DocumentBuilderFactory to prevent XML enternal entity (XXE) attacks when parsing maven-metadata.xml files provided by external Maven repositories during “SNAPSHOT” version resolution.
This patches CVE-2022-41967 by disabling features which may lead to XXE. If you are currently using v0.3.0-SNAPSHOT it is STRONGLY advised to update Dragonfly to v0.3.1-SNAPSHOT just to be safe.
- Loading branch information