GHSA-68j8-fp38-p48q

Suggest an improvement
Source
https://github.com/advisories/GHSA-68j8-fp38-p48q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-68j8-fp38-p48q/GHSA-68j8-fp38-p48q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-68j8-fp38-p48q
Aliases
Published
2024-09-19T14:49:40Z
Modified
2024-09-20T15:01:12.039700Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
  • 7.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
Gematik Referenzvalidator has an XXE vulnerability that can lead to a Server Side Request Forgery attack
Details

Impact

The profile location routine in the referencevalidator commons package is vulnerable to XML External Entities attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a Server Side Request Forgery attack.

The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources.

Patches

The problem has been patched with the 2.5.1 version of the referencevalidator. Users are strongly recommended to update to this version or a more recent one.

Workarounds

A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.

References

References

Affected packages

Maven / de.gematik.refv.commons:commons

Package

Name
de.gematik.refv.commons:commons
View open source insights on deps.dev
Purl
pkg:maven/de.gematik.refv.commons/commons

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.5.1

Affected versions

0.*

0.1.3
0.2.0
0.3.0
0.4.1
0.5.0
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2

1.*

1.0.0
1.1.0

2.*

2.0.0
2.0.1
2.0.2
2.1.0
2.1.1
2.2.0
2.3.0
2.4.0
2.5.0