IBM CICS TX Standard and Advanced 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  229430.

  

**Summary**

IBM CICS TX Standard could allow users to embed arbitrary JavaScript code which may allow trusted credentials disclosure. The fix removes this vulnerability (CVE-2022-34166) from IBM CICS TX Standard.

**Vulnerability Details**

**CVEID:**   CVE-2022-34166  
**DESCRIPTION:**   IBM CICS TX is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229430 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM CICS TX Standard

All

  

**Remediation/Fixes**

IBM strongly recommends addressing the vulnerability by downloading and applying the interim fixes from the table below  

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

06 Jul 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSL1TD","label":"CICS TX Standard"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"11.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}\]

CVE-2022-34166: IBM CICS TX Standard is vulnerable to cross-site scripting (CVE-2022-34166)

IBM CICS TX Standard and Advanced 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  229432.

  

**Summary**

IBM CICS TX Standard could allow users to embed arbitrary JavaScript code which may allow trusted credentials disclosure. The fix removes this vulnerability (CVE-2022-34167) from IBM CICS TX Standard.

**Vulnerability Details**

**CVEID:**   CVE-2022-34167  
**DESCRIPTION:**   IBM CICS TX is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229432 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM CICS TX Standard

All

  

**Remediation/Fixes**

IBM strongly recommends addressing the vulnerability by downloading and applying the interim fixes from the table below  

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

06 Jul 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSL1TD","label":"CICS TX Standard"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"11.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}\]

CVE-2022-34167: IBM CICS TX Standard is vulnerable to a stored cross-site scripting attack (CVE-2022-34167)

A URL disclosure issue was discovered in Burp Suite before 2022.6. If a user views a crafted response in the Repeater or Intruder, it may be incorrectly interpreted as a redirect.

show checksums

SHA256: {SHA FROM OPTION GOES HERE} MD5: {MD5 FROM OPTION GOES HERE}

This release introduces several improvements to the Intruder and Repeater tab bars, including the ability to select between a scrolling or wrapped tab view and, for Repeater, the ability to organize tabs into groups. It also introduces HTTP/1 keep-alive, in which Burp Suite can now reuse a single TCP connection to send multiple HTTP/1 requests, and adds a selection of preset scan modes to the **Scan Configuration** menu. Finally, we have released several key improvements for DOM Invader, including the ability to test for client-side prototype pollution.

**Grouped Tabs**

You can now organize Repeater tabs into color-coded groups. Grouping tabs makes it easier than ever to work with large numbers of open tabs and keep track of related requests.

We have also added a search function to the tab bar, which you can use to search for individual tabs or groups.

**Scrollable tab view**

Intruder and Repeater now provide two views for tabs. As well as the standard wrapped view, you can now also display tabs as a single, scrollable row. This can help to free up on-screen real estate, especially on smaller displays.

**DOM Invader improvements**

This release provides the following key improvements to DOM Invader:

*   You can now use DOM Invader to test for client-side prototype pollution.
*   The augmented **DOM** view now displays additional information to help you analyze vulnerabilities and potentially craft exploits. This includes the frame path, the outer HTML of the element, and the event that occurred when your payload was passed to the sink. Similarly, the **Messages** view now tells you both the frame that each message was sent from and the frame that it was sent to.
*   You can now set a callback function for each sink, source, and message that DOM Invader finds. This enables you to log the results using custom JavaScript code.
*   You can now prevent DOM Invader from consolidating messages with duplicate values. This is useful in cases where you want to see every single message being sent.
*   You can now disable specific sources and sinks to reduce noise.

For an overview of how to use these new features from PortSwigger researcher and creator of DOM Invader, Gareth Heyes, check out the following video:

**HTTP/1 keep-alive**

You can now send multiple HTTP/1 requests using the same TCP connection. Previously, Burp always closed the connection after each request / response pair, even if the server supported connection reuse.

Reusing connections in this way brings significant benefits in terms of request speed and timing accuracy.

To enable HTTP/1 keep-alive, go to **Project options > HTTP > HTTP/1** and select the **Use keep-alive for HTTP/1** if the server supports it option. You can override this setting in Repeater using the **Enable HTTP/1 keep-alive reuse** menu option.

**Preset scan modes**

You can now select from four preset scan modes when configuring a scan. These preset scan modes offer a quick way to adjust how the scan balances speed and coverage, without requiring you to set up a custom scan configuration.

To use these new scan modes, select **Use a preset scan mode** from the **Scan Configuration** menu and choose one of the available options.

**Other improvements**

We have made numerous improvements to Burp Scanner to improve stability, performance, and progress estimation.

**Security fixes**

This release provides the following security improvements:

*   We have upgraded Burp's browser to Chromium 102.0.5005.115, which fixes a number of high severity bugs.
*   We have resolved a low-severity security issue that could lead to Repeater and Intruder disclosing URLs due to incorrectly interpreting a crafted response as a redirect. This issue was privately reported to us via our bug bounty program.
*   We have hardened Burp’s Referer calculation, bringing it in line with the default Referrer-Policy settings used in modern browsers.

**Bug fixes**

This release also provides a number of bug fixes. Most notably:

*   Burp's browser no longer issues unnecessary requests to Google on launch.
*   We have fixed an issue whereby Repeater responses could be overwritten by long-running requests.
*   We have fixed an issue with logging in headless mode, whereby the log file was being created but no data was being written to the log.

CVE-2022-35406: Professional / Community 2022.6

All security issues have been patched – update now

All security issues have been patched – update now

  

Node.js maintainers have released multiple fixes for vulnerabilities in the JavaScript runtime environment that could lead to arbitrary code execution and HTTP request smuggling, among other attacks.

In an advisory released last night (July 7), the details of seven now-patched bugs were released, including three separate HTTP Request Smuggling vulnerabilities.

Read more of the latest news about security vulnerabilities

These three vulnerabilities – a flawed parsing of transfer-encoding bug, tracked as CVE-2022-32213; an improper delimiting of header fields issue, tracked as CVE-2022-32214; and an Incorrect parsing of multi-line transfer-encoding bug, tracked as CVE-2022-32215 – could all lead to HTTP request smuggling.

These bugs, which were all rated as medium severity, impact all versions of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js.

**Other issues**

The advisory also contains details of a DNS rebinding vulnerability in via invalid IP addresses.

Rated as high severity, the bug (CVE-2022-32212) could allow for arbitrary code execution, the advisory warns.

“The check can easily be bypassed because does not properly check if an IP address is invalid or not.

“When an invalid IPv4 address is provided browsers will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MitM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884,” the post reads. The vulnerability impacts all versions of the 18.x, 16.x, and 14.x releases lines.

The advisory also details a DLL Hijacking vulnerability on Windows (CVE-2022-32223), and CVE-2022-32222, a medium-severity bug that could allow an attacker to attempt to read openssl.cnf from upon system startup.

BACKGROUND High severity OpenSSL bug could lead to remote code execution

Finally, the release also contains fixes for a vulnerability in OpenSSL, as previously reported by The Daily Swig.

The moderate-severity implementation bug (CVE-2022-2097) could cause encryption to fail in some circumstances.

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data, which could reveal sixteen bytes of data that was pre-existing in the memory that wasn’t written.

In the special case of ‘in place’ encryption, sixteen bytes of the plaintext could be revealed.

Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.

All of the vulnerabilities have been fixed in the latest versions, Node.js v14.20.0 (LTS), Node.js v16.16.0 (LTS), and Node.js v18.5.0 (Current).

YOU MAY ALSO LIKE Spring Data MongoDB hit by another critical SpEL injection flaw

Node.js fixes multiple bugs that could lead to RCE, HTTP request smuggling

An issue in the isSVG() function of Known v1.2.2+2020061101 allows attackers to execute arbitrary code via a crafted SVG file.

**Simple publishing**

Known allows you to create and share photos, notes, stories, songs, and more. It's easy to use and its web interface works on any device.

**Features at a glance**

**Bookmarklet**

Easily post to your site, save links, and respond to comments from any page on the web

**#Tags**

Use hashtags with any content to categorize and organize what you publish

**Responsive Layout**

View, edit, and post to your site from any device

**Decentralized Indieweb**

Sites can respond to each other, bookmark each others' content and leave comments on each others' posts

**Email Notifications**

Get updated whenever someone responds to a post

**Feeds**

Get your latest updates via RSS, XML, JSON, or KML

**Multi-Author**

Invite an unlimited number of collaborators and create a multi-user site

**HTML & Rich Text Editor**

Handcraft your posts in HTML or save time with the WYSIWYG

**Custom URL**

Bring your own URL and really own your site with a custom domain

**Static Pages**

Round out your site with static content like an about page or a contact page

**Privacy**

Keep your site private and create a space for your personal thoughts or a private group discussion

**Custom JavaScript & CSS**

Change your site's look and add your own analytics with JavaScript and CSS editors

**Any device, any place**

You already spend enough time in front of a computer, and inspiration can strike anywhere. Known is fully responsive and works on whatever device you’ve got in your hand. Whether you’re sharing a sunset picture from the beach or blogging from the road, Known is there for you.

"more easily organize all your digital info in one place"

"designed to give everyone a fully open publishing platform"

"This is really how the web should be."

CVE-2022-32115: Known: social publishing for groups and individuals

A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.
Mobile security firm Zimperium dubbed the malware family ABCsoup, stating the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security

A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.

Mobile security firm Zimperium dubbed the malware family **ABCsoup**, stating the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores."

The rogue browser add-ons come with the same extension ID as that of Google Translate — "aapbdbdomjkkjkaonfhkkikfgjllcleb" — in an attempt to trick users into believing that they have installed a legitimate extension.

The extensions are not available on the official browser web stores themselves. Rather they are delivered through different Windows executables that install the add-on on the victim's web browser.

In the event the targeted user already has the Google Translate extension installed, it replaces the original version with the malicious variant owing to their higher version numbers (30.2.5 vs. 2.0.10).

"Furthermore, when this extension is installed, Chrome Web Store assumes that it is Google Translate and not the malicious extension since the Web Store only checks for extension IDs," Zimperium researcher Nipun Gupta said.

All the observed variants of the extension are geared towards serving pop-ups, harvesting personal information to deliver target-specific ads, fingerprinting searches, and injecting malicious JavaScript that can further act as a spyware to capture keystrokes and monitor web browser activity.

The main function of ABCsoup entails checking for Russian social networking services like Odnoklassniki and VK among the current websites opened in the browser, and if so, gather the users' first and last names, dates of birth, and gender, and transmit the data to a remote server.

Not only does the malware use this information to serve personalized ads, the extension also comes with capabilities to inject custom JavaScript code based on the websites opened. This includes YouTube, Facebook, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly's Znanija, Kismia, and rollApp, suggesting a heavy Russia focus.

Zimperium attributed the campaign to a "well-organized group" of Eastern European and Russian origin, with the extensions designed to target Russian users given the wide variety of local domains targeted.

"This malware is purposefully designed to target all kinds of users and serves its purpose of retrieving user information," Gupta said. "The injected scripts can be easily used to serve more malicious behavior into the browser session, such as keystroke mapping and data exfiltration."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Experts Uncover 350 Browser Extension Variants Used in ABCsoup Adware Campaign

A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services.

**Privilege escalation vulnerability on Token Exchange feature**

**Package**

maven org.keycloak.services (Maven)

**Affected versions**

< 18.0.0

**Description**

A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client\_id of the target. This could allow a client to gain unauthorized access to additional services.

CVE-2022-1245

By Deeba Ahmed
Apple has announced adding a new feature to iOS devices dubbed the Lockdown Mode. This feature aims to…
This is a post from HackRead.com Read the original post: Apple Debuts Lockdown Mode to Prevent State-Sponsored Spying

Apple has announced adding a new feature to iOS devices dubbed the Lockdown Mode. This feature aims to protect Apple users from “highly targeted mercenary spyware,” revealed Apple’s official blog post on the announcement.

**What is Lockdown Mode?**

The newly introduced security capability will act as additional, specialized protection for the Apple device to prevent targeted cyberattacks or spying campaigns, particularly from state-sponsored spies/hackers.

Though a small fraction of users may be at the risk of targeted spying, it is still a welcome addition for iOS users. Users who may become targets of threat actors because of who they are or what they do, especially users targeted by the NSO Group or private hackers, would benefit the most from this feature. These include human rights activities, political nonconformists, protestors, journalists, etc.

The Lockdown Mode will automatically lock down all hijackable system functionalities so that even the most advanced hackers cannot compromise the device.

Apple’s head of security engineering and architecture, Ivan Krstić, called it a “groundbreaking capability” reflecting Apple’s “unwavering commitment to protecting users from even the rarest, most sophisticated attacks.”

**Lockdown Mode Capabilities**

According to Apple’s blog post, after Lockdown Mode is formally available on iOS devices, it will perform the following functions to protect the device.

*   Blocking/disabling link previews and attachments in messages.
*   Blocking wired connection with any computer, device, or accessory if the iPhone is locked.
*   Disabling just-in-time JavaScript compilation except if the user has excluded some website from blocking.
*   Blocking incoming service requests, invitations, and FaceTime calls from unknown users, allowing calls/requests from senders the device user has previously contacted.
*   Blocking configuration profiles installation and enrollment of the device in MDM (mobile device management).

**Lockdown Mode Official Launching**

The Lockdown Mode will be rolled out in late September 2022. It will be introduced on iOS 16, macOS Ventura, and iPadOS 16. Initially, it will be offered as a test version for researchers to help the company detect security flaws and bugs.

It is worth noting that Apple offered a $10 million reward to cybersecurity researchers working on improving Lockdown Mode defenses and a $2 million bug bounty to those who detect security flaws.

The introduction of Lockdown Mode highlights that not even the world’s most valuable company can protect its products from state-backed intrusion or commercial spyware. 

**More Apple Security News**

1.  Google hackers found malicious websites hacking iPhones
2.  Zero-Click exploit allowed attackers to hack any targeted iPhone
3.  15-year-old Unpatched Root Access Bug found in Apple’s macOS
4.  55 Apple vulnerabilities risked iCloud account takeover, data theft
5.  Apple Bug bounty: Earn big backs for hacking iPhone & other products

Apple Debuts Lockdown Mode to Prevent State-Sponsored Spying

In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.

**Package**

maven jetty-server (Maven)

**Affected versions**

<=10.0.9,<=11.0.9

**Patched versions**

10.0.10,11.0.10

**Impact**

SslConnection does not release ByteBuffers in case of error code paths.  
For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the ByteBuffers used to process the TLS handshake will be leaked.

**Workarounds**

Configure explicitly a RetainableByteBufferPool with max[Heap|Direct]Memory to limit the amount of memory that is leaked.  
Eventually the pool will be full of "active" entries (the leaked ones) and will provide ByteBuffers that will be GCed normally.

_With embedded-jetty_

int maxBucketSize = 1000;
long maxHeapMemory = 128 \* 1024L \* 1024L; // 128 MB
long maxDirectMemory = 128 \* 1024L \* 1024L; // 128 MB
RetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);

server.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started
server.start();

_With jetty-home/jetty-base_

Create a ${jetty.base}/etc/retainable-byte-buffer-config.xml

<?xml version\="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure\_10\_0.dtd">

<Configure id\="Server" class\="org.eclipse.jetty.server.Server"\>
  <Call name\="addBean"\>
    <Arg\>
      <New class\="org.eclipse.jetty.io.ArrayRetainableByteBufferPool"\>
        <Arg type\="int"\><Property name\="jetty.byteBufferPool.minCapacity" default\="0"/></Arg\>
        <Arg type\="int"\><Property name\="jetty.byteBufferPool.factor" default\="\-1"/></Arg\>
        <Arg type\="int"\><Property name\="jetty.byteBufferPool.maxCapacity" default\="\-1"/></Arg\>
        <Arg type\="int"\><Property name\="jetty.byteBufferPool.maxBucketSize" default\="1000"/></Arg\>
        <Arg type\="long"\><Property name\="jetty.byteBufferPool.maxHeapMemory" default\="128000000"/></Arg\>
        <Arg type\="long"\><Property name\="jetty.byteBufferPool.maxDirectMemory" default\="128000000"/></Arg\>
      </New\>
    </Arg\>
  </Call\>
</Configure\>

And then reference it in ${jetty.base}/start.d/retainable-byte-buffer-config.ini

    etc/retainable-byte-buffer-config.xml
    

**References**

#8161

**For more information**

*   Email us at security@webtide.com

CVE-2022-2191

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

Skip to content

**GitLab **

*   Menu

Projects Groups Snippets

*   
*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    
*   Sign in
    

*   Eclipse Foundation
*   EMO Team
*   EMO
*   Issues
*   **#287**

Closed

Open

Created May 05, 2022 by **Andrii Berezovskyi@aberezovsky**6 of 6 tasks completed6/6 tasks

**External DTD access in Eclipse Lyo**

The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project.

**Basic information**

**Project name:** Eclipse Lyo

**Project id:** technology.lyo

**Versions affected:** \[1.0.0, 4.1.0\]

**Common Weakness Enumeration:**

*   CWE-611

**Common Vulnerability Scoring System:** {cvss}

I don't know the right score, as I don't have a proven exploit for it. I simply fixed the SonarCloud warning and I assume the score is similar to a very similar issue in Apache Jena. However, they had two CVEs, one for just external DTD loading, which has a 4.5 score (CVE-2022-28890) and another one for potential XXE code execution which has a score of 7.5 (CVE-2021-39239). My assessment is https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C/CDP:L/TD:ND/CR:ND/IR:ND/AR:ND or https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L&version=3.1 for v3) assuming the REST API getting attacked is protected and the attacker needs valid credentials to access the API. The rating could be worse if users expose an API that does not require auth (our SDK does not enforce it): https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C/CDP:L/TD:ND/CR:ND/IR:ND/AR:ND)

**Summary:**

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

**Links:**

*   https://docs.oracle.com/en/java/javase/17/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC (_I am not sure what you mean though._)

**Tracking**

**This section will completed by the project team**.

*   We're ready for this issue to be reported to the central authority (i.e., make this public now)
*   (when applicable) The GitHub Security Advisory is ready to be published now

Note that for those projects that host their repositories on GitHub, the use of GitHub Security Advisories is recommended but is not required.

**This section will be completed by the EMO**.

**CVE:** CVE-2021-41042

*   All required information is provided
*   CVE Assigned
*   Pushed to Mitre
*   Accepted by Mitre

Edited Jul 07, 2022 by Wayne Beaton

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent

Tag

#java