logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-826p-4gcg-35vw org.geotools:gt-xsd-core

Package

Manager: maven
Name: org.geotools:gt-xsd-core
Vulnerable Version: =33.0 || >=33.0 <33.1 || >=32.0 <32.3 || >=29.0 <31.7 || >=0 <28.6.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

EPSS: N/A pctlN/A

Details

GeoTools has XML External Entity (XXE) Processing Vulnerability in XSD schema handling ### Summary GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. ### Impact This impacts whoever exposes XML processing with ``gt-xsd-core`` involved in parsing, when the documents carry a reference to an external XML schema. The ``gt-xsd-core`` Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of ``gt-wfs-ng`` DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. ### Resolution GeoTools API change allows EntityResolver to be supplied to the following methods: ```java Schemas.parse( location, locators, resolvers, uriHandlers, entityResolver); Schemas.findSchemas(Configuration configuration, EntityResolver entityResolver); ``` With this API change the `gt-wfs-ng` WFS DataStore ENTITY_RESOLVER parameter is now used. ### Reference * [GHSA-jj54-8f66-c5pc](https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc): Describes the impact of the ``gt-xsd-core`` vulnerability on the GeoServer WFS protocol, resulting in both Service Side Request Forgery (SSRF) and Out-of-Band (OOB) data exfiltration of local files. * [GHSA-2p76-gc46-5fvc](https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc): Describes the impact of the ``gt-wfs-ng`` and ``gt-xsd-core`` vulnerability on the GeoNetwork WFS Index functionality.

Metadata

Created: 2025-06-09T23:14:48Z
Modified: 2025-06-09T23:14:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-826p-4gcg-35vw/GHSA-826p-4gcg-35vw.json
CWE IDs: ["CWE-611"]
Alternative ID: N/A
Finding: F083
Auto approve: 1