CVE-2023-41034
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-41034
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41034.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-41034
- Aliases
- Related
- Published
- 2023-08-31T18:15:09Z
- Modified
- 2025-09-19T14:39:30.020450Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Eclipse Leshan is a device management server and client Java implementation. In affected versions DDFFileParser
andDefaultDDFFileValidator(and soObjectLoader) are vulnerable toXXE Attacks`. A DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. This issue has been fixed in versions 1.5.0 and 2.0.0-M13. Users are advised to upgrade. There are no known workarounds for this vulnerability. - References
-
- https://github.com/eclipse-leshan/leshan/security/advisories/GHSA-wc9j-gc65-3cm7
- https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013
- https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c
- https://github.com/eclipse-leshan/leshan/wiki/Adding-new-objects#the-lwm2m-model
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
Affected packages
Git / github.com/eclipse-leshan/leshan
Affected ranges
- Type
- GIT
- Repo
- https://github.com/eclipse-leshan/leshan
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
leshan-0.*
leshan-0.1.10
leshan-0.1.11-M1
leshan-0.1.11-M10
leshan-0.1.11-M11
leshan-0.1.11-M12
leshan-0.1.11-M13
leshan-0.1.11-M14
leshan-0.1.11-M2
leshan-0.1.11-M3
leshan-0.1.11-M4
leshan-0.1.11-M5
leshan-0.1.11-M6
leshan-0.1.11-M7
leshan-0.1.11-M8
leshan-0.1.11-M9
leshan-1.*
leshan-1.0.0
leshan-1.0.0-M1
leshan-1.0.0-M10
leshan-1.0.0-M11
leshan-1.0.0-M12
leshan-1.0.0-M13
leshan-1.0.0-M2
leshan-1.0.0-M3
leshan-1.0.0-M4
leshan-1.0.0-M5
leshan-1.0.0-M6
leshan-1.0.0-M7
leshan-1.0.0-M8
leshan-1.0.0-M9
leshan-1.0.0-RC1
leshan-1.0.0-RC2
leshan-1.0.1
leshan-1.1.0
leshan-1.2.0
leshan-1.3.0
leshan-1.3.1
leshan-1.3.2
leshan-1.4.0
leshan-1.4.1
leshan-1.4.2
leshan-2.*
leshan-2.0.0-M1
leshan-2.0.0-M10
leshan-2.0.0-M11
leshan-2.0.0-M12
leshan-2.0.0-M2
leshan-2.0.0-M3
leshan-2.0.0-M4
leshan-2.0.0-M5
leshan-2.0.0-M6
leshan-2.0.0-M7
leshan-2.0.0-M8
leshan-2.0.0-M9
Database specific
{
"vanir_signatures": [
{
"signature_type": "Function",
"target": {
"function": "DDFFileParser",
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DDFFileParser.java"
},
"source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
"id": "CVE-2023-41034-216aea22",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "112132251650979455020530205440897708048",
"length": 131.0
}
},
{
"signature_type": "Function",
"target": {
"function": "getEmbeddedLwM2mSchema",
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DefaultDDFFileValidator.java"
},
"source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
"id": "CVE-2023-41034-2b7d6545",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "237108993301340176968770709437993627186",
"length": 245.0
}
},
{
"signature_type": "Line",
"target": {
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DefaultDDFFileValidator.java"
},
"source": "https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013",
"id": "CVE-2023-41034-3dcb100f",
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"45880770282846884601284427041015995044",
"95169844009773388857870879042304079351",
"308220482238997735255890079680512829514",
"37948561098649931725789504006028637254",
"24902648833500247232837118258358593395",
"129514908223358611218345249590568226783",
"63896513064352376436083745393434523592",
"137075230668628750169402724552438603157"
],
"threshold": 0.9
}
},
{
"signature_type": "Line",
"target": {
"file": "leshan-core/src/test/java/org/eclipse/leshan/core/model/DDFFileParserTest.java"
},
"source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
"id": "CVE-2023-41034-44c6c046",
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"242314717943366220870141432382158099006",
"189852283634600278334276759222608334543",
"203467205585413036845815988732211231851",
"182226392566595191678688636994668885466",
"17695505341159378715321889487742566404",
"62531583052037463261089425512167904033",
"145219763436386524007942274368761675450",
"335423710570500327518939223124749421667",
"53285797452823956303838961912357002091"
],
"threshold": 0.9
}
},
{
"signature_type": "Function",
"target": {
"function": "DDFFileParser",
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DDFFileParser.java"
},
"source": "https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013",
"id": "CVE-2023-41034-9810be00",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "52710533708919467597417151252120139818",
"length": 182.0
}
},
{
"signature_type": "Function",
"target": {
"function": "getEmbeddedLwM2mSchema",
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DefaultDDFFileValidator.java"
},
"source": "https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013",
"id": "CVE-2023-41034-a183f538",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "63427233686271172612166336625608161474",
"length": 231.0
}
},
{
"signature_type": "Line",
"target": {
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DDFFileParser.java"
},
"source": "https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013",
"id": "CVE-2023-41034-bcf26722",
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"115729365069980650686153977819415124338",
"188350188840414607550987041215903346447",
"75256081097726451239142718650667979254",
"297000428072123989345404796242628781768",
"4430587957913202764103452207951461294",
"20285762405733447032206306108848805333",
"187433684835951687701158858927284189678",
"218630000264675851591819883909995949662",
"256605570271465775775618381191903812281",
"116224701539792437818075443554110477796",
"169082512716778544763256138959280990725"
],
"threshold": 0.9
}
},
{
"signature_type": "Line",
"target": {
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DDFFileParser.java"
},
"source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
"id": "CVE-2023-41034-d2d3a5c6",
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"224793050385932402359716846565473886911",
"64411032892954427213694186536495358510",
"68315008682031517132333035922268930791",
"176575345234979434188987061320702333853",
"15673455243346571594061287544353981945",
"77525323166135210316798616360521246086",
"161767609788803444337232487009427185627",
"283833623819636711997085278428840596443",
"260584916336028519124763346542010607449",
"253200802636479195599648177865208651697"
],
"threshold": 0.9
}
},
{
"signature_type": "Line",
"target": {
"file": "leshan-core/src/main/java/org/eclipse/leshan/core/model/DefaultDDFFileValidator.java"
},
"source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
"id": "CVE-2023-41034-d63c47d3",
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"331866631334698974891268203364968538464",
"201181351608272125293095004071975403459",
"142997430677257658315466546654741836464",
"322608446906846335492472204206308618971",
"71124720481208310578680349502640176869",
"286790915122307017608269268308474201912",
"144689773262673485837071862541365140900",
"86248679191031874337274423609528403631",
"63896513064352376436083745393434523592",
"137075230668628750169402724552438603157"
],
"threshold": 0.9
}
},
{
"signature_type": "Function",
"target": {
"function": "test_xxe_injection_failed",
"file": "leshan-core/src/test/java/org/eclipse/leshan/core/model/DDFFileParserTest.java"
},
"source": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c",
"id": "CVE-2023-41034-d6e203b3",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "33430740049175250943106065286647360992",
"length": 206.0
}
}
]
}