4.1.0

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

eclipse

CWE-611

NVD

Published: 2022-07-07

Updated: 2023-11-07

Summary

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

Vulnerable Configurations

Part	Description	Count
Application	Eclipse Eclipse LYO 1.0.0 Eclipse LYO 4.1.0	2

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287