CVE-2023-45960

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') (CWE-776)

Published: Oct 25, 2023 / Updated: 12mo ago

010
CVSS 7.5EPSS 0.05%High
CVE info copied to clipboard

** DISPUTED ** An issue in dom4.j org.dom4.io.SAXReader v.2.1.4 and before allows a remote attacker to obtain sensitive information via the setFeature function. NOTE: the vendor and original reporter indicate that this is not a vulnerability because setFeature only sets features, which "can be safe in one case and unsafe in another."

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2023-45960. See article

Oct 25, 2023 at 10:21 AM / vuldb.com
EPSS

EPSS Score was set to: 0.05% (Percentile: 14.4%)

Oct 25, 2023 at 4:44 PM
CVE Assignment

NVD published the first details for CVE-2023-45960

Oct 25, 2023 at 6:17 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Oct 25, 2023 at 6:32 PM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2023-45960).

Oct 27, 2023 at 8:00 AM
Static CVE Timeline Graph

Affected Systems

Dom4j_project/dom4j
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-197: Exponential Data Expansion
+null more

Vendor Advisory

[GHSA-fgq9-fc3q-vqmw] dom4j XML Entity Expansion vulnerability
GitHub Security Advisory: GHSA-fgq9-fc3q-vqmw Release Date: 2023-10-25 Update Date: 2023-10-27 Severity: Moderate CVE-2023-45960 Package Information Package: org.dom4j:dom4j Affected Versions: Patched Versions: None Description An issue in dom4.j org.dom4.io.SAXReader v.2.1.4 and before allows a remote attacker to obtain sensitive information via the setFeature function. References https://nvd.nist.gov/vuln/detail/CVE-2023-45960 https://dom4j.github.io/ https://github.com/joker-xiaoyan/XXE-SAXReader/blob/8c0d24f9800c36c8ad36457c1df1e4aaff24c7b9/POC.java

News

CVE-2023-45960
** DISPUTED ** An issue in dom4.j org.dom4.io.SAXReader v.2.1.4 and before allows a remote attacker to obtain sensitive information via the setFeature function. NOTE: the vendor and original reporter indicate that this is not a vulnerability because setFeature only sets features, which "can be safe in one case and unsafe in another." (CVSS:0.0) (Last Update:2023-10-28 21:15:08)
[GHSA-fgq9-fc3q-vqmw] dom4j XML Entity Expansion vulnerability
GitHub Security Advisory: GHSA-fgq9-fc3q-vqmw Release Date: 2023-10-25 Update Date: 2023-10-27 Severity: Moderate CVE-2023-45960 Package Information Package: org.dom4j:dom4j Affected Versions: Patched Versions: None Description An issue in dom4.j org.dom4.io.SAXReader v.2.1.4 and before allows a remote attacker to obtain sensitive information via the setFeature function. References https://nvd.nist.gov/vuln/detail/CVE-2023-45960 https://dom4j.github.io/ https://github.com/joker-xiaoyan/XXE-SAXReader/blob/8c0d24f9800c36c8ad36457c1df1e4aaff24c7b9/POC.java
dom4j information disclosure | CVE-2023-45960
dom4j could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the setFeature function in the SAXReader. By using a specially crafted XML content, a remote attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-45960
An issue was found in org.dom4j that may allow a remote attacker to obtain sensitive information via the setFeature function. This CVE is currently disputed by the...
CVE-2023-45960
Red Hat JBoss Enterprise Application Platform 6 - dom4j - Not affected Red Hat JBoss A-MQ 7 - dom4j - Not affected
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI