Eclipse Leshan is a device management server and client Java implementation. In affected versions DDFFileParserandDefaultDDFFileValidator(and soObjectLoader) are vulnerable toXXE Attacks`. A DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. This issue has been fixed in versions 1.5.0 and 2.0.0-M13. Users are advised to upgrade. There are no known workarounds for this vulnerability.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-611"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41034.json"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.5.0"
},
{
"introduced": "2.0.0-milestone1"
},
{
"last_affected": "2.0.0-milestone1"
},
{
"introduced": "2.0.0-milestone10"
},
{
"last_affected": "2.0.0-milestone10"
},
{
"introduced": "2.0.0-milestone11"
},
{
"last_affected": "2.0.0-milestone11"
},
{
"introduced": "2.0.0-milestone12"
},
{
"last_affected": "2.0.0-milestone12"
},
{
"introduced": "2.0.0-milestone2"
},
{
"last_affected": "2.0.0-milestone2"
},
{
"introduced": "2.0.0-milestone3"
},
{
"last_affected": "2.0.0-milestone3"
},
{
"introduced": "2.0.0-milestone4"
},
{
"last_affected": "2.0.0-milestone4"
},
{
"introduced": "2.0.0-milestone5"
},
{
"last_affected": "2.0.0-milestone5"
},
{
"introduced": "2.0.0-milestone6"
},
{
"last_affected": "2.0.0-milestone6"
},
{
"introduced": "2.0.0-milestone7"
},
{
"last_affected": "2.0.0-milestone7"
},
{
"introduced": "2.0.0-milestone8"
},
{
"last_affected": "2.0.0-milestone8"
},
{
"introduced": "2.0.0-milestone9"
},
{
"last_affected": "2.0.0-milestone9"
}
],
"cpe": [
"cpe:2.3:a:eclipse:leshan:*:*:*:*:*:*:*:*",
"cpe:2.3:a:eclipse:leshan:2.0.0:milestone1:*:*:*:*:*:*",
"cpe:2.3:a:eclipse:leshan:2.0.0:milestone10:*:*:*:*:*:*",
"cpe:2.3:a:eclipse:leshan:2.0.0:milestone11:*:*:*:*:*:*",
"cpe:2.3:a:eclipse:leshan:2.0.0:milestone12:*:*:*:*:*:*",
"cpe:2.3:a:eclipse:leshan:2.0.0:milestone2:*:*:*:*:*:*",
"cpe:2.3:a:eclipse:leshan:2.0.0:milestone3:*:*:*:*:*:*",
"cpe:2.3:a:eclipse:leshan:2.0.0:milestone4:*:*:*:*:*:*",
"cpe:2.3:a:eclipse:leshan:2.0.0:milestone5:*:*:*:*:*:*",
"cpe:2.3:a:eclipse:leshan:2.0.0:milestone6:*:*:*:*:*:*",
"cpe:2.3:a:eclipse:leshan:2.0.0:milestone7:*:*:*:*:*:*",
"cpe:2.3:a:eclipse:leshan:2.0.0:milestone8:*:*:*:*:*:*",
"cpe:2.3:a:eclipse:leshan:2.0.0:milestone9:*:*:*:*:*:*"
],
"source": [
"CPE_RANGE",
"CPE_STRING",
"REFERENCES"
]
}"2026-07-09T09:39:21Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41034.json"
[
{
"signature_type": "Function",
"target": {
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DDFFileParser.java",
"function": "DDFFileParser"
},
"deprecated": false,
"digest": {
"length": 131.0,
"function_hash": "112132251650979455020530205440897708048"
},
"id": "CVE-2023-41034-216aea22",
"source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
"signature_version": "v1"
},
{
"signature_type": "Function",
"target": {
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DefaultDDFFileValidator.java",
"function": "getEmbeddedLwM2mSchema"
},
"deprecated": false,
"digest": {
"length": 245.0,
"function_hash": "237108993301340176968770709437993627186"
},
"id": "CVE-2023-41034-2b7d6545",
"source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
"signature_version": "v1"
},
{
"signature_type": "Line",
"target": {
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DefaultDDFFileValidator.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"45880770282846884601284427041015995044",
"95169844009773388857870879042304079351",
"308220482238997735255890079680512829514",
"37948561098649931725789504006028637254",
"24902648833500247232837118258358593395",
"129514908223358611218345249590568226783",
"63896513064352376436083745393434523592",
"137075230668628750169402724552438603157"
],
"threshold": 0.9
},
"id": "CVE-2023-41034-3dcb100f",
"source": "https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013",
"signature_version": "v1"
},
{
"signature_type": "Line",
"target": {
"file": "leshan-core/src/test/java/org/eclipse/leshan/core/model/DDFFileParserTest.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"242314717943366220870141432382158099006",
"189852283634600278334276759222608334543",
"203467205585413036845815988732211231851",
"182226392566595191678688636994668885466",
"17695505341159378715321889487742566404",
"62531583052037463261089425512167904033",
"145219763436386524007942274368761675450",
"335423710570500327518939223124749421667",
"53285797452823956303838961912357002091"
],
"threshold": 0.9
},
"id": "CVE-2023-41034-44c6c046",
"source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
"signature_version": "v1"
},
{
"signature_type": "Function",
"target": {
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DDFFileParser.java",
"function": "DDFFileParser"
},
"deprecated": false,
"digest": {
"length": 182.0,
"function_hash": "52710533708919467597417151252120139818"
},
"id": "CVE-2023-41034-9810be00",
"source": "https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013",
"signature_version": "v1"
},
{
"signature_type": "Function",
"target": {
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DefaultDDFFileValidator.java",
"function": "getEmbeddedLwM2mSchema"
},
"deprecated": false,
"digest": {
"length": 231.0,
"function_hash": "63427233686271172612166336625608161474"
},
"id": "CVE-2023-41034-a183f538",
"source": "https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013",
"signature_version": "v1"
},
{
"signature_type": "Line",
"target": {
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DDFFileParser.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"115729365069980650686153977819415124338",
"188350188840414607550987041215903346447",
"75256081097726451239142718650667979254",
"297000428072123989345404796242628781768",
"4430587957913202764103452207951461294",
"20285762405733447032206306108848805333",
"187433684835951687701158858927284189678",
"218630000264675851591819883909995949662",
"256605570271465775775618381191903812281",
"116224701539792437818075443554110477796",
"169082512716778544763256138959280990725"
],
"threshold": 0.9
},
"id": "CVE-2023-41034-bcf26722",
"source": "https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013",
"signature_version": "v1"
},
{
"signature_type": "Line",
"target": {
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DDFFileParser.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"224793050385932402359716846565473886911",
"64411032892954427213694186536495358510",
"68315008682031517132333035922268930791",
"176575345234979434188987061320702333853",
"15673455243346571594061287544353981945",
"77525323166135210316798616360521246086",
"161767609788803444337232487009427185627",
"283833623819636711997085278428840596443",
"260584916336028519124763346542010607449",
"253200802636479195599648177865208651697"
],
"threshold": 0.9
},
"id": "CVE-2023-41034-d2d3a5c6",
"source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
"signature_version": "v1"
},
{
"signature_type": "Line",
"target": {
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DefaultDDFFileValidator.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"331866631334698974891268203364968538464",
"201181351608272125293095004071975403459",
"142997430677257658315466546654741836464",
"322608446906846335492472204206308618971",
"71124720481208310578680349502640176869",
"286790915122307017608269268308474201912",
"144689773262673485837071862541365140900",
"86248679191031874337274423609528403631",
"63896513064352376436083745393434523592",
"137075230668628750169402724552438603157"
],
"threshold": 0.9
},
"id": "CVE-2023-41034-d63c47d3",
"source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
"signature_version": "v1"
},
{
"signature_type": "Function",
"target": {
"file": "leshan-core/src/test/java/org/eclipse/leshan/core/model/DDFFileParserTest.java",
"function": "test_xxe_injection_failed"
},
"deprecated": false,
"digest": {
"length": 206.0,
"function_hash": "33430740049175250943106065286647360992"
},
"id": "CVE-2023-41034-d6e203b3",
"source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
"signature_version": "v1"
}
]