Описание
Withdrawn Advisory: dom4j XML Entity Expansion vulnerability
Withdrawn Advisory
This advisory has been withdrawn because the underlying vulnerability could not be reproduced. This link is maintained to preserve external references.
Original Description
An issue in dom4.j org.dom4.io.SAXReader v.2.1.4 and before allows a remote attacker to obtain sensitive information via the setFeature function.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-45960
- https://github.com/dom4j/dom4j/issues/171#issuecomment-1781547256
- https://github.com/joker-xiaoyan/XXE-SAXReader/issues/1
- https://dom4j.github.io
- https://github.com/joker-xiaoyan/XXE-SAXReader/blob/8c0d24f9800c36c8ad36457c1df1e4aaff24c7b9/POC.java
- https://github.com/joker-xiaoyan/XXE-SAXReader/tree/main
Пакеты
org.dom4j:dom4j
<= 2.1.4
Отсутствует
CVE ID
Дефекты
Связанные уязвимости
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
An issue was found in org.dom4j that may allow a remote attacker to obtain sensitive information via the setFeature function. This CVE is currently disputed by the maintainers.
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.