Vulnerabilities > CVE-2021-41042 - XXE vulnerability in Eclipse LYO

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

eclipse

CWE-611

NVD

Published: 2022-07-07

Updated: 2022-07-15

Summary

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

Vulnerable Configurations

Part	Description	Count
Application	Eclipse Eclipse LYO *	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287