Apache cayenne-server is vulnerable to XML external entity (XXE). The XML external entity declaration is not disabled in the XML parser of the CayenneModeler
and allows an attacker to access local or remote content via a declared system identifier.
CPE | Name | Operator | Version |
---|---|---|---|
cayenne-server: cayenne server | eq | 4.1.M1 | |
cayenne-server: cayenne server | le | 4.0.RC1 |
github.com/apache/cayenne/commit/5714108e8a4dabbc89957f562ad46035064ef731
github.com/apache/cayenne/commit/6fc896b65ed871be33dcf453cde924bf73cf83db
github.com/apache/cayenne/commit/8d4c83abed024fc3a698148a122429022b89b590
lists.apache.org/thread.html/ed60a4d329be3c722f105317ca883986dfcd17615c70d1df87f4528c@%3Cuser.cayenne.apache.org%3E