logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-46984 de.gematik.refv.commons:commons

Package

Manager: maven
Name: de.gematik.refv.commons:commons
Vulnerable Version: >=0 <2.5.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00186 pctl0.40573

Details

Gematik Referenzvalidator has an XXE vulnerability that can lead to a Server Side Request Forgery attack ### Impact The profile location routine in the referencevalidator commons package is vulnerable to [XML External Entities](https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)) attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a [Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery) attack. The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources. ### Patches The problem has been patched with the [2.5.1 version](https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1) of the referencevalidator. Users are strongly recommended to update to this version or a more recent one. ### Workarounds A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem. ### References - [OWASP Top 10 XXE](https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#) - [Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery) - [OWASP XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)

Metadata

Created: 2024-09-19T14:49:40Z
Modified: 2024-09-20T14:52:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-68j8-fp38-p48q/GHSA-68j8-fp38-p48q.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-68j8-fp38-p48q
Finding: F083
Auto approve: 1