GHSA-wc9j-gc65-3cm7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wc9j-gc65-3cm7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-wc9j-gc65-3cm7/GHSA-wc9j-gc65-3cm7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wc9j-gc65-3cm7
- Aliases
- Published
- 2023-08-31T21:47:28Z
- Modified
- 2024-02-16T08:11:26.907209Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
- Summary
- DDFFileParser is vulnerable to XXE Attacks
- Details
-
Impact
DDFFileParserandDefaultDDFFileValidator(and soObjectLoader) are vulnerable to XXE Attacks.DDF file is a LWM2M format used to store LWM2M object description.
Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory.Patches
This is fixed in v1.5.0 and 2.0.0-M13.
Workarounds
No easy way. Eventually writing your own
DDFFileParser/DefaultDDFFileValidator(and soObjectLoader) creating aDocumentBuilderFactorywith :// For DDFFileParser DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // Disable DTDs factory.setXIncludeAware(false); // Disable XML Inclusions factory.setExpandEntityReferences(false); // disable expand entity reference nodes // For DefaultDDFFileValidator SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");References
- https://owasp.org/www-community/vulnerabilities/XMLExternalEntity(XXE)Processing
- https://cheatsheetseries.owasp.org/cheatsheets/XMLExternalEntityPreventionCheat_Sheet.html
- https://semgrep.dev/docs/cheat-sheets/java-xxe/
- https://community.veracode.com/s/article/Java-Remediation-Guidance-for-XXE
- Database specific
{ "nvd_published_at": "2023-08-31T18:15:09Z", "cwe_ids": [ "CWE-611" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-08-31T21:47:28Z" }- References
-
- https://github.com/eclipse-leshan/leshan/security/advisories/GHSA-wc9j-gc65-3cm7
- https://nvd.nist.gov/vuln/detail/CVE-2023-41034
- https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013
- https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c
- https://github.com/eclipse-leshan/leshan
- https://github.com/eclipse-leshan/leshan/wiki/Adding-new-objects#the-lwm2m-model
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
Affected packages
Maven / org.eclipse.leshan:leshan-core
Package
- Name
- org.eclipse.leshan:leshan-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.eclipse.leshan/leshan-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.5.0
Affected versions
0.*
0.1.10
0.1.11-M1
0.1.11-M2
0.1.11-M3
0.1.11-M4
0.1.11-M5
0.1.11-M6
0.1.11-M7
0.1.11-M8
0.1.11-M9
0.1.11-M10
0.1.11-M11
0.1.11-M12
0.1.11-M13
0.1.11-M14
1.*
1.0.0-M1
1.0.0-M2
1.0.0-M3
1.0.0-M4
1.0.0-M5
1.0.0-M6
1.0.0-M7
1.0.0-M8
1.0.0-M9
1.0.0-M10
1.0.0-M11
1.0.0-M12
1.0.0-M13
1.0.0-RC1
1.0.0-RC2
1.0.0
1.0.1
1.0.2
1.1.0
1.2.0
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
Maven / org.eclipse.leshan:leshan-core
Package
- Name
- org.eclipse.leshan:leshan-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.eclipse.leshan/leshan-core