GHSA-85hw-w436-c725

Suggest an improvement
Source
https://github.com/advisories/GHSA-85hw-w436-c725
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-85hw-w436-c725/GHSA-85hw-w436-c725.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-85hw-w436-c725
Aliases
Published
2022-05-14T02:02:28Z
Modified
2023-11-01T04:48:49.221306Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
XML External Entity Reference in Apache Cayenne
Details

This affects Apache Cayenne 4.1.M1, 3.2.M1, 4.0.M2 to 4.0.M5, 4.0.B1, 4.0.B2, 4.0.RC1, 3.1, 3.1.1, 3.1.2. CayenneModeler is a desktop GUI tool shipped with Apache Cayenne and intended for editing Cayenne ORM models stored as XML files. If an attacker tricks a user of CayenneModeler into opening a malicious XML file, the attacker will be able to instruct the XML parser built into CayenneModeler to transfer files from a local machine to a remote machine controlled by the attacker. The cause of the issue is XML parser processing XML External Entity (XXE) declarations included in XML. The vulnerability is addressed in Cayenne by disabling XXE processing in all operations that require XML parsing.

Database specific
{
    "nvd_published_at": "2018-08-22T20:29:00Z",
    "github_reviewed_at": "2022-11-04T20:37:08Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611"
    ]
}
References

Affected packages

Maven / org.apache.cayenne:cayenne-parent

Package

Name
org.apache.cayenne:cayenne-parent
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cayenne/cayenne-parent

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.3

Affected versions

3.*

3.0B1
3.0M1
3.0M2
3.0M3
3.0M4
3.0M5
3.0M6
3.0RC1
3.0RC2
3.0RC3
3.0
3.0.1
3.0.2
3.1B1
3.1B2
3.1M1
3.1M2
3.1M3
3.1RC1
3.1
3.1.1
3.1.2

Maven / org.apache.cayenne:cayenne-parent

Package

Name
org.apache.cayenne:cayenne-parent
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cayenne/cayenne-parent

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0
Fixed
4.1

Affected versions

4.*

4.0
4.0.1
4.0.2
4.0.3
4.1.B1
4.1.B2
4.1.M1
4.1.M2
4.1.RC1
4.1.RC2