GHSA-68j8-fp38-p48q

Source

https://github.com/advisories/GHSA-68j8-fp38-p48q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-68j8-fp38-p48q/GHSA-68j8-fp38-p48q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-68j8-fp38-p48q

Aliases

CVE-2024-46984

Published

2024-09-19T14:49:40Z

Modified

2024-09-19T15:12:54.016847Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
7.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator

Summary

Gematik Referenzvalidator has an XXE vulnerability that can lead to a Server Side Request Forgery attack

Details

Impact

The profile location routine in the referencevalidator commons package is vulnerable to XML External Entities attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a Server Side Request Forgery attack.

The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources.

Patches

The problem has been patched with the 2.5.1 version of the referencevalidator. Users are strongly recommended to update to this version or a more recent one.

Workarounds

A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.

References

References

Affected packages

Maven / de.gematik.refv.commons:commons

Package

Name: de.gematik.refv.commons:commons; View open source insights on deps.dev
Purl: pkg:maven/de.gematik.refv.commons/commons

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.5.1

Affected versions

0.*

0.1.3

0.2.0

0.3.0

0.4.1

0.5.0

0.6.0

0.6.1

0.7.0

0.7.1

0.7.2

1.*

1.0.0

1.1.0

2.*

2.0.0

2.0.1

2.0.2

2.1.0

2.1.1

2.2.0

2.3.0

2.4.0

2.5.0