CVE-2023-41034

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-41034
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41034.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-41034
Aliases
Published
2023-08-31T18:15:09Z
Modified
2024-10-12T11:04:12.346344Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Eclipse Leshan is a device management server and client Java implementation. In affected versions DDFFileParserandDefaultDDFFileValidator(and soObjectLoader) are vulnerable toXXE Attacks`. A DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. This issue has been fixed in versions 1.5.0 and 2.0.0-M13. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/eclipse-leshan/leshan

Affected ranges

Type
GIT
Repo
https://github.com/eclipse-leshan/leshan
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

leshan-0.*

leshan-0.1.10
leshan-0.1.11-M1
leshan-0.1.11-M10
leshan-0.1.11-M11
leshan-0.1.11-M12
leshan-0.1.11-M13
leshan-0.1.11-M14
leshan-0.1.11-M2
leshan-0.1.11-M3
leshan-0.1.11-M4
leshan-0.1.11-M5
leshan-0.1.11-M6
leshan-0.1.11-M7
leshan-0.1.11-M8
leshan-0.1.11-M9

leshan-1.*

leshan-1.0.0
leshan-1.0.0-M1
leshan-1.0.0-M10
leshan-1.0.0-M11
leshan-1.0.0-M12
leshan-1.0.0-M13
leshan-1.0.0-M2
leshan-1.0.0-M3
leshan-1.0.0-M4
leshan-1.0.0-M5
leshan-1.0.0-M6
leshan-1.0.0-M7
leshan-1.0.0-M8
leshan-1.0.0-M9
leshan-1.0.0-RC1
leshan-1.0.0-RC2
leshan-1.0.1
leshan-1.1.0
leshan-1.2.0
leshan-1.3.0
leshan-1.3.1
leshan-1.3.2
leshan-1.4.0
leshan-1.4.1
leshan-1.4.2

leshan-2.*

leshan-2.0.0-M1
leshan-2.0.0-M10
leshan-2.0.0-M11
leshan-2.0.0-M12
leshan-2.0.0-M2
leshan-2.0.0-M3
leshan-2.0.0-M4
leshan-2.0.0-M5
leshan-2.0.0-M6
leshan-2.0.0-M7
leshan-2.0.0-M8
leshan-2.0.0-M9