Lucene search

Veracode Vulnerability DatabaseVERACODE:41010

HistoryJun 26, 2023 - 6:04 a.m.

XML External Entity (XXE) Injection

2023-06-2606:04:23

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

xml

xxe injection

hutool library

CVSS2

5.2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:S/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

45.6%

JSON

cn.hutool:hutool-all and cn.hutool:hutool-core are vulnerable to XML external entitiy (XXE) injection attacks. The vulnerability exists in readBySax function of XmlUtil.java due to the use of SAXParserFactory which allows an attacker to parse malicious DTDs as a result of an incorrectly configured XML parser.

References

fbdhhhh47.github.io/2023/06/06/hutool-XXE/

github.com/advisories/GHSA-p2qf-9vp6-3jjq

github.com/dromara/hutool/commit/2a786afd3fef5554321d919481aeac8ed362ce99

vuldb.com/?ctiid.231626

vuldb.com/?id.231626

CVSS2

5.2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:S/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

45.6%

JSON

Related for VERACODE:41010