CVE-2022-41967

Опубликовано: 28 дек. 2022

Источник: nvd

CVSS3: 7

CVSS3: 7.5

EPSS Низкий

Описание

Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML SNAPSHOT versions are being resolved, this vulnerability may be avoided by not trying to resolve SNAPSHOT versions.

Ссылки

https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3
Patch
Third Party Advisory
https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv
Patch
Third Party Advisory
https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3
Patch
Third Party Advisory
https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:hypera:dragonfly:0.3.0-snapshot:*:*:*:*:*:*:*

EPSS

Процентиль: 51%

0.00279

Низкий

7 High

CVSS3

7.5 High

CVSS3

Дефекты

CWE-611

EPSS

Процентиль: 51%

0.00279

Низкий

7 High

CVSS3

7.5 High

CVSS3

Дефекты

CWE-611