Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-wc9j-gc65-3cm7

Опубликовано: 31 авг. 2023
Источник: github
Github: Прошло ревью
CVSS3: 6.5

Описание

DDFFileParser is vulnerable to XXE Attacks

Impact

DDFFileParser and DefaultDDFFileValidator (and so ObjectLoader) are vulnerable to XXE Attacks.

DDF file is a LWM2M format used to store LWM2M object description.
Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory.

Patches

This is fixed in v1.5.0 and 2.0.0-M13.

Workarounds

No easy way. Eventually writing your own DDFFileParser/DefaultDDFFileValidator (and so ObjectLoader) creating a DocumentBuilderFactory with :

// For DDFFileParser DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // Disable DTDs factory.setXIncludeAware(false); // Disable XML Inclusions factory.setExpandEntityReferences(false); // disable expand entity reference nodes // For DefaultDDFFileValidator SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

References

Ссылки

Пакеты

Наименование

org.eclipse.leshan:leshan-core

maven
Затронутые версииВерсия исправления

< 1.5.0

1.5.0

Наименование

org.eclipse.leshan:leshan-core

maven
Затронутые версииВерсия исправления

>= 2.0.0-M1, < 2.0.0-M13

2.0.0-M13

EPSS

Процентиль: 30%
0.00109
Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2023-41034

Дефекты

CWE-611

Связанные уязвимости

nvd логотип

CVE-2023-41034

CVSS3: 6.5
nvd
больше 2 лет назад

Eclipse Leshan is a device management server and client Java implementation. In affected versions DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) are vulnerable to `XXE Attacks`. A DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. This issue has been fixed in versions 1.5.0 and 2.0.0-M13. Users are advised to upgrade. There are no known workarounds for this vulnerability.

fstec логотип

BDU:2023-05939

CVSS3: 9.8
fstec
больше 2 лет назад

Уязвимость программного средства для управления устройствами в Интернете вещей (IoT) Eclipse Leshan, связанная с неверным ограничением XML-ссылок на внешние объекты, позволяющая нарушителю осуществить XXE-атаку

EPSS

Процентиль: 30%
0.00109
Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2023-41034

Дефекты

CWE-611