In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.
References
Link | Resource |
---|---|
https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287 | Exploit Vendor Advisory |
Configurations
Information
Published : 2022-07-07 14:15
Updated : 2022-07-15 08:31
NVD link : CVE-2021-41042
Mitre link : CVE-2021-41042
JSON object : View
CWE
CWE-611
Improper Restriction of XML External Entity Reference
Products Affected
eclipse
- lyo