Headline
CVE-2021-41042: External DTD access in Eclipse Lyo (#287) · Issues · Eclipse Foundation / EMO Team / EMO
In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.
Skip to content
**GitLab **
- Menu
Projects Groups Snippets
Help
Help
Support
Community forum
Submit feedback
Sign in
- Eclipse Foundation
- EMO Team
- EMO
- Issues
- #287
Closed
Open
Created May 05, 2022 by Andrii Berezovskyi@aberezovsky6 of 6 tasks completed6/6 tasks
External DTD access in Eclipse Lyo
The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project.
Basic information
Project name: Eclipse Lyo
Project id: technology.lyo
Versions affected: [1.0.0, 4.1.0]
Common Weakness Enumeration:
- CWE-611
Common Vulnerability Scoring System: {cvss}
I don’t know the right score, as I don’t have a proven exploit for it. I simply fixed the SonarCloud warning and I assume the score is similar to a very similar issue in Apache Jena. However, they had two CVEs, one for just external DTD loading, which has a 4.5 score (CVE-2022-28890) and another one for potential XXE code execution which has a score of 7.5 (CVE-2021-39239). My assessment is https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C/CDP:L/TD:ND/CR:ND/IR:ND/AR:ND or https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L&version=3.1 for v3) assuming the REST API getting attacked is protected and the attacker needs valid credentials to access the API. The rating could be worse if users expose an API that does not require auth (our SDK does not enforce it): https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C/CDP:L/TD:ND/CR:ND/IR:ND/AR:ND)
Summary:
In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.
Links:
- https://docs.oracle.com/en/java/javase/17/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC (I am not sure what you mean though.)
Tracking
This section will completed by the project team.
- We’re ready for this issue to be reported to the central authority (i.e., make this public now)
- (when applicable) The GitHub Security Advisory is ready to be published now
Note that for those projects that host their repositories on GitHub, the use of GitHub Security Advisories is recommended but is not required.
This section will be completed by the EMO.
CVE: CVE-2021-41042
- All required information is provided
- CVE Assigned
- Pushed to Mitre
- Accepted by Mitre
Edited Jul 07, 2022 by Wayne Beaton
Copyright © Eclipse Foundation, Inc. All Rights Reserved. Privacy Policy | Terms of Use | Copyright Agent
Related news
In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. IBM X-Force ID: 202682.
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.