CVE-2023-46502

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-46502

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46502.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-46502

Aliases

GHSA-q74f-rf27-8hxc

Published

2023-10-30T23:15:08Z

Modified

2025-09-19T13:39:05.151330Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory.

References

Affected packages

Git / github.com/opencrx/opencrx

Affected ranges

Type: GIT
Repo: https://github.com/opencrx/opencrx
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ce7a71db0bb34ecbcb0e822d40598e410a48b399

Affected versions

opencrx-v4.*

opencrx-v4.0.0

opencrx-v4.1.0

opencrx-v4.2.0

opencrx-v4.3.0

opencrx-v4.3.0-rc.1

opencrx-v5.*

opencrx-v5.0-20200714

opencrx-v5.0-20200715

opencrx-v5.0-20200717

opencrx-v5.0-20200904

opencrx-v5.0.0

opencrx-v5.0.1

opencrx-v5.1.0

opencrx-v5.2.0

opencrx-v5.2.1

opencrx-v5.2.2

Database specific

{
    "vanir_signatures": [
        {
            "id": "CVE-2023-46502-3c6a5e37",
            "signature_type": "Function",
            "target": {
                "file": "core/src/main/java/org/opencrx/application/uses/net/sf/webdav/methods/WebDavMethod.java",
                "function": "getDocumentBuilder"
            },
            "digest": {
                "function_hash": "4624990091803290678707408489062354619",
                "length": 251.0
            },
            "source": "https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399",
            "signature_version": "v1",
            "deprecated": false
        },
        {
            "id": "CVE-2023-46502-5c1e4dba",
            "signature_type": "Line",
            "target": {
                "file": "core/src/main/java/org/opencrx/application/uses/net/sf/webdav/methods/WebDavMethod.java"
            },
            "digest": {
                "line_hashes": [
                    "39934885853195052450453065661908994518",
                    "266760719395484929759736260851091189294",
                    "178180256037544602447252192311388835290",
                    "121313014851447004866084138766703459135",
                    "245124452989860056839988864709991956380",
                    "34407548115015247540735715199724487811",
                    "335642789312503842925020677321699332321",
                    "243297730853301641368066154080238935851",
                    "200887312163165406206747308362111544549",
                    "70694710560957233126783157453894744840",
                    "225850866145583930326272788243098206114"
                ],
                "threshold": 0.9
            },
            "source": "https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399",
            "signature_version": "v1",
            "deprecated": false
        }
    ]
}