GHSA-826p-4gcg-35vw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-826p-4gcg-35vw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-826p-4gcg-35vw/GHSA-826p-4gcg-35vw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-826p-4gcg-35vw
- Published
- 2025-06-09T23:14:48Z
- Modified
- 2025-06-09T23:14:48Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L CVSS Calculator
- Summary
- GeoTools has XML External Entity (XXE) Processing Vulnerability in XSD schema handling
- Details
-
Summary
GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit.
Impact
This impacts whoever exposes XML processing with
gt-xsd-coreinvolved in parsing, when the documents carry a reference to an external XML schema. Thegt-xsd-coreSchemas class is not using the EntityResolver provided by the ParserHandler (if any was configured).This also impacts users of
gt-wfs-ngDataStore where the ENTITY_RESOLVER connection parameter was not being used as intended.Resolution
GeoTools API change allows EntityResolver to be supplied to the following methods:
Schemas.parse( location, locators, resolvers, uriHandlers, entityResolver); Schemas.findSchemas(Configuration configuration, EntityResolver entityResolver);With this API change the
gt-wfs-ngWFS DataStore ENTITY_RESOLVER parameter is now used.Reference
GHSA-jj54-8f66-c5pc: Describes the impact of the
gt-xsd-corevulnerability on the GeoServer WFS protocol, resulting in both Service Side Request Forgery (SSRF) and Out-of-Band (OOB) data exfiltration of local files.GHSA-2p76-gc46-5fvc: Describes the impact of the
gt-wfs-ngandgt-xsd-corevulnerability on the GeoNetwork WFS Index functionality.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-611" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-06-09T23:14:48Z" }- References
Affected packages
Maven / org.geotools:gt-xsd-core
Package
- Name
- org.geotools:gt-xsd-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geotools/gt-xsd-core
Maven / org.geotools:gt-xsd-core
Package
- Name
- org.geotools:gt-xsd-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geotools/gt-xsd-core
Maven / org.geotools:gt-xsd-core
Package
- Name
- org.geotools:gt-xsd-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geotools/gt-xsd-core
Maven / org.geotools:gt-wfs-ng
Package
- Name
- org.geotools:gt-wfs-ng
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geotools/gt-wfs-ng
Maven / org.geotools:gt-wfs-ng
Package
- Name
- org.geotools:gt-wfs-ng
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geotools/gt-wfs-ng
Maven / org.geotools:gt-wfs-ng
Package
- Name
- org.geotools:gt-wfs-ng
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geotools/gt-wfs-ng
Maven / org.geotools:gt-xsd-core
Package
- Name
- org.geotools:gt-xsd-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geotools/gt-xsd-core
Maven / org.geotools:gt-wfs-ng
Package
- Name
- org.geotools:gt-wfs-ng
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geotools/gt-wfs-ng