GHSA-6296-mvgp-27hp

Suggest an improvement
Source
https://github.com/advisories/GHSA-6296-mvgp-27hp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-6296-mvgp-27hp/GHSA-6296-mvgp-27hp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6296-mvgp-27hp
Aliases
  • CVE-2021-41042
Published
2022-07-08T00:00:42Z
Modified
2024-02-21T05:42:56.933409Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
Summary
XML External Entity Reference in Eclipse Lyo
Details

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

Database specific 
{
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2022-07-08T17:53:33Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "nvd_published_at": "2022-07-07T21:15:00Z"
}
References

Affected packages

Maven / org.eclipse.lyo:lyo-parent

Package

Name
org.eclipse.lyo:lyo-parent
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.lyo/lyo-parent

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
5.0.0.Final

Affected versions

4.*
4.0.0.RC
4.0.0
4.1.0.alpha1
4.1.0.M1
4.1.0.RC
4.1.0
5.*
5.0.0.alpha1
5.0.0.alpha2
5.0.0.alpha3
5.0.0.alpha4
5.0.0.CR

Database specific

last_known_affected_version_range 
"<= 4.1.0"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-6296-mvgp-27hp/GHSA-6296-mvgp-27hp.json"