logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-41034 org.eclipse.leshan:leshan-core

Package

Manager: maven
Name: org.eclipse.leshan:leshan-core
Vulnerable Version: >=0 <1.5.0 || >=2.0.0-m1 <2.0.0-m13

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00109 pctl0.29871

Details

DDFFileParser is vulnerable to XXE Attacks ### Impact `DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) are vulnerable to [XXE Attacks](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing). [DDF file](https://github.com/eclipse-leshan/leshan/wiki/Adding-new-objects#the-lwm2m-model) is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. ### Patches This is fixed in **v1.5.0** and **2.0.0-M13**. ### Workarounds No easy way. Eventually writing your own `DDFFileParser`/`DefaultDDFFileValidator` (and so `ObjectLoader`) creating a `DocumentBuilderFactory` with : ```java // For DDFFileParser DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // Disable DTDs factory.setXIncludeAware(false); // Disable XML Inclusions factory.setExpandEntityReferences(false); // disable expand entity reference nodes // For DefaultDDFFileValidator SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); ``` ### References - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html - https://semgrep.dev/docs/cheat-sheets/java-xxe/ - https://community.veracode.com/s/article/Java-Remediation-Guidance-for-XXE

Metadata

Created: 2023-08-31T21:47:28Z
Modified: 2023-08-31T21:47:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-wc9j-gc65-3cm7/GHSA-wc9j-gc65-3cm7.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-wc9j-gc65-3cm7
Finding: F083
Auto approve: 1