CVE-2023-41034

Source
https://cve.org/CVERecord?id=CVE-2023-41034
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41034.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-41034
Aliases
Published
2023-08-31T17:01:38.082Z
Modified
2026-07-09T09:39:21.773466Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
DDFFileParser in eclipse leshan is vulnerable to XXE Attacks
Details

Eclipse Leshan is a device management server and client Java implementation. In affected versions DDFFileParserandDefaultDDFFileValidator(and soObjectLoader) are vulnerable toXXE Attacks`. A DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. This issue has been fixed in versions 1.5.0 and 2.0.0-M13. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-611"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41034.json"
}
References

Affected packages

Git / github.com/eclipse-leshan/leshan

Affected ranges

Type
GIT
Repo
https://github.com/eclipse-leshan/leshan
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.5.0"
        },
        {
            "introduced": "2.0.0-milestone1"
        },
        {
            "last_affected": "2.0.0-milestone1"
        },
        {
            "introduced": "2.0.0-milestone10"
        },
        {
            "last_affected": "2.0.0-milestone10"
        },
        {
            "introduced": "2.0.0-milestone11"
        },
        {
            "last_affected": "2.0.0-milestone11"
        },
        {
            "introduced": "2.0.0-milestone12"
        },
        {
            "last_affected": "2.0.0-milestone12"
        },
        {
            "introduced": "2.0.0-milestone2"
        },
        {
            "last_affected": "2.0.0-milestone2"
        },
        {
            "introduced": "2.0.0-milestone3"
        },
        {
            "last_affected": "2.0.0-milestone3"
        },
        {
            "introduced": "2.0.0-milestone4"
        },
        {
            "last_affected": "2.0.0-milestone4"
        },
        {
            "introduced": "2.0.0-milestone5"
        },
        {
            "last_affected": "2.0.0-milestone5"
        },
        {
            "introduced": "2.0.0-milestone6"
        },
        {
            "last_affected": "2.0.0-milestone6"
        },
        {
            "introduced": "2.0.0-milestone7"
        },
        {
            "last_affected": "2.0.0-milestone7"
        },
        {
            "introduced": "2.0.0-milestone8"
        },
        {
            "last_affected": "2.0.0-milestone8"
        },
        {
            "introduced": "2.0.0-milestone9"
        },
        {
            "last_affected": "2.0.0-milestone9"
        }
    ],
    "cpe": [
        "cpe:2.3:a:eclipse:leshan:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:eclipse:leshan:2.0.0:milestone1:*:*:*:*:*:*",
        "cpe:2.3:a:eclipse:leshan:2.0.0:milestone10:*:*:*:*:*:*",
        "cpe:2.3:a:eclipse:leshan:2.0.0:milestone11:*:*:*:*:*:*",
        "cpe:2.3:a:eclipse:leshan:2.0.0:milestone12:*:*:*:*:*:*",
        "cpe:2.3:a:eclipse:leshan:2.0.0:milestone2:*:*:*:*:*:*",
        "cpe:2.3:a:eclipse:leshan:2.0.0:milestone3:*:*:*:*:*:*",
        "cpe:2.3:a:eclipse:leshan:2.0.0:milestone4:*:*:*:*:*:*",
        "cpe:2.3:a:eclipse:leshan:2.0.0:milestone5:*:*:*:*:*:*",
        "cpe:2.3:a:eclipse:leshan:2.0.0:milestone6:*:*:*:*:*:*",
        "cpe:2.3:a:eclipse:leshan:2.0.0:milestone7:*:*:*:*:*:*",
        "cpe:2.3:a:eclipse:leshan:2.0.0:milestone8:*:*:*:*:*:*",
        "cpe:2.3:a:eclipse:leshan:2.0.0:milestone9:*:*:*:*:*:*"
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING",
        "REFERENCES"
    ]
}

Affected versions

2.*
2.0.0-milestone1
2.0.0-milestone10
2.0.0-milestone11
2.0.0-milestone12
2.0.0-milestone2
2.0.0-milestone3
2.0.0-milestone4
2.0.0-milestone5
2.0.0-milestone6
2.0.0-milestone7
2.0.0-milestone8
2.0.0-milestone9
leshan-0.*
leshan-0.1.10
leshan-0.1.11-M1
leshan-0.1.11-M10
leshan-0.1.11-M11
leshan-0.1.11-M12
leshan-0.1.11-M13
leshan-0.1.11-M14
leshan-0.1.11-M2
leshan-0.1.11-M3
leshan-0.1.11-M4
leshan-0.1.11-M5
leshan-0.1.11-M6
leshan-0.1.11-M7
leshan-0.1.11-M8
leshan-0.1.11-M9
leshan-1.*
leshan-1.0.0
leshan-1.0.0-M1
leshan-1.0.0-M10
leshan-1.0.0-M11
leshan-1.0.0-M12
leshan-1.0.0-M13
leshan-1.0.0-M2
leshan-1.0.0-M3
leshan-1.0.0-M4
leshan-1.0.0-M5
leshan-1.0.0-M6
leshan-1.0.0-M7
leshan-1.0.0-M8
leshan-1.0.0-M9
leshan-1.0.0-RC1
leshan-1.0.0-RC2
leshan-1.0.1
leshan-1.1.0
leshan-1.2.0
leshan-1.3.0
leshan-1.3.1
leshan-1.3.2
leshan-1.4.0
leshan-1.4.1
leshan-1.4.2
leshan-2.*
leshan-2.0.0-M1
leshan-2.0.0-M10
leshan-2.0.0-M11
leshan-2.0.0-M12
leshan-2.0.0-M2
leshan-2.0.0-M3
leshan-2.0.0-M4
leshan-2.0.0-M5
leshan-2.0.0-M6
leshan-2.0.0-M7
leshan-2.0.0-M8
leshan-2.0.0-M9

Database specific

vanir_signatures_modified
"2026-07-09T09:39:21Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41034.json"
vanir_signatures
[
    {
        "signature_type": "Function",
        "target": {
            "file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DDFFileParser.java",
            "function": "DDFFileParser"
        },
        "deprecated": false,
        "digest": {
            "length": 131.0,
            "function_hash": "112132251650979455020530205440897708048"
        },
        "id": "CVE-2023-41034-216aea22",
        "source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "target": {
            "file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DefaultDDFFileValidator.java",
            "function": "getEmbeddedLwM2mSchema"
        },
        "deprecated": false,
        "digest": {
            "length": 245.0,
            "function_hash": "237108993301340176968770709437993627186"
        },
        "id": "CVE-2023-41034-2b7d6545",
        "source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DefaultDDFFileValidator.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "45880770282846884601284427041015995044",
                "95169844009773388857870879042304079351",
                "308220482238997735255890079680512829514",
                "37948561098649931725789504006028637254",
                "24902648833500247232837118258358593395",
                "129514908223358611218345249590568226783",
                "63896513064352376436083745393434523592",
                "137075230668628750169402724552438603157"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2023-41034-3dcb100f",
        "source": "https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013",
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "leshan-core/src/test/java/org/eclipse/leshan/core/model/DDFFileParserTest.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "242314717943366220870141432382158099006",
                "189852283634600278334276759222608334543",
                "203467205585413036845815988732211231851",
                "182226392566595191678688636994668885466",
                "17695505341159378715321889487742566404",
                "62531583052037463261089425512167904033",
                "145219763436386524007942274368761675450",
                "335423710570500327518939223124749421667",
                "53285797452823956303838961912357002091"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2023-41034-44c6c046",
        "source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "target": {
            "file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DDFFileParser.java",
            "function": "DDFFileParser"
        },
        "deprecated": false,
        "digest": {
            "length": 182.0,
            "function_hash": "52710533708919467597417151252120139818"
        },
        "id": "CVE-2023-41034-9810be00",
        "source": "https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013",
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "target": {
            "file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DefaultDDFFileValidator.java",
            "function": "getEmbeddedLwM2mSchema"
        },
        "deprecated": false,
        "digest": {
            "length": 231.0,
            "function_hash": "63427233686271172612166336625608161474"
        },
        "id": "CVE-2023-41034-a183f538",
        "source": "https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013",
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DDFFileParser.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "115729365069980650686153977819415124338",
                "188350188840414607550987041215903346447",
                "75256081097726451239142718650667979254",
                "297000428072123989345404796242628781768",
                "4430587957913202764103452207951461294",
                "20285762405733447032206306108848805333",
                "187433684835951687701158858927284189678",
                "218630000264675851591819883909995949662",
                "256605570271465775775618381191903812281",
                "116224701539792437818075443554110477796",
                "169082512716778544763256138959280990725"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2023-41034-bcf26722",
        "source": "https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013",
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DDFFileParser.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "224793050385932402359716846565473886911",
                "64411032892954427213694186536495358510",
                "68315008682031517132333035922268930791",
                "176575345234979434188987061320702333853",
                "15673455243346571594061287544353981945",
                "77525323166135210316798616360521246086",
                "161767609788803444337232487009427185627",
                "283833623819636711997085278428840596443",
                "260584916336028519124763346542010607449",
                "253200802636479195599648177865208651697"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2023-41034-d2d3a5c6",
        "source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DefaultDDFFileValidator.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "331866631334698974891268203364968538464",
                "201181351608272125293095004071975403459",
                "142997430677257658315466546654741836464",
                "322608446906846335492472204206308618971",
                "71124720481208310578680349502640176869",
                "286790915122307017608269268308474201912",
                "144689773262673485837071862541365140900",
                "86248679191031874337274423609528403631",
                "63896513064352376436083745393434523592",
                "137075230668628750169402724552438603157"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2023-41034-d63c47d3",
        "source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "target": {
            "file": "leshan-core/src/test/java/org/eclipse/leshan/core/model/DDFFileParserTest.java",
            "function": "test_xxe_injection_failed"
        },
        "deprecated": false,
        "digest": {
            "length": 206.0,
            "function_hash": "33430740049175250943106065286647360992"
        },
        "id": "CVE-2023-41034-d6e203b3",
        "source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
        "signature_version": "v1"
    }
]