Description

In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser initialisation.

Remediation

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=545835

http://www.securityfocus.com/bid/107844

Related Vulnerabilities

CVE-2022-45210 Vulnerability in maven package org.jeecgframework.boot:jeecg-module-system

CVE-2020-1714 Vulnerability in maven package org.keycloak:keycloak-common

CVE-2023-32314 Vulnerability in npm package vm2

CVE-2023-29214 Vulnerability in maven package org.xwiki.platform:xwiki-platform-panels-ui

CVE-2016-10750 Vulnerability in maven package com.hazelcast:hazelcast-client

Severity

High

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory Third Party Advisory VDB Entry