Description

EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities.

Remediation

References

https://www.kb.cert.org/vuls/id/779243

https://www.securityfocus.com/bid/94864/

Related Vulnerabilities

CVE-2021-21166 Vulnerability in maven package org.webjars.npm:electron

CVE-2019-1003059 Vulnerability in maven package org.jvnet.hudson.plugins:ftppublisher

CVE-2018-1199 Vulnerability in maven package org.springframework.security:spring-security-web

CVE-2017-16211 Vulnerability in npm package lessindex

CVE-2021-21293 Vulnerability in maven package org.http4s:blaze-core_2.12

Severity

High

Classification

CWE-611 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Third Party Advisory US Government Resource VDB Entry