Skip to content

Improper Restriction of XML External Entity Reference in de.tud.sse

Low
StevenArzt published GHSA-39r7-275f-rvgw Jul 12, 2021

Package

maven de.tud.sse (Maven)

Affected versions

< 2.9.0

Patched versions

2.9.0

Description

Impact

FlowDroid contained an XXE vulnerability that allowed an attacker who had control over the source/sink definition file in XML fomat to read files from external locations. The following conditions all had to be met:

  • The XML-based format for sources and sinks is used
  • The attacker can control the source/sink definition file

Patches

Upgrade to version 2.9.0 (proper release, not earlier snapshot versions)

Workarounds

Do not allow untrusted entities to control the source/sink definition file.

References

None.

Severity

Low

CVE ID

CVE-2021-32754

Weaknesses

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Learn more on MITRE.

Credits