External DTD access in Eclipse Lyo

The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project.

Basic information

Project name: Eclipse Lyo

Project id: technology.lyo

Versions affected: [1.0.0, 4.1.0]

Common Weakness Enumeration:

• CWE-611

Common Vulnerability Scoring System: {cvss}

I don't know the right score, as I don't have a proven exploit for it. I simply fixed the SonarCloud warning and I assume the score is similar to a very similar issue in Apache Jena. However, they had two CVEs, one for just external DTD loading, which has a 4.5 score (CVE-2022-28890) and another one for potential XXE code execution which has a score of 7.5 (CVE-2021-39239). My assessment is https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C/CDP:L/TD:ND/CR:ND/IR:ND/AR:ND or https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L&version=3.1 for v3) assuming the REST API getting attacked is protected and the attacker needs valid credentials to access the API. The rating could be worse if users expose an API that does not require auth (our SDK does not enforce it): https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C/CDP:L/TD:ND/CR:ND/IR:ND/AR:ND)

Summary:

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

Links:

• https://docs.oracle.com/en/java/javase/17/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC (I am not sure what you mean though.)

Tracking

This section will completed by the project team.

• We're ready for this issue to be reported to the central authority (i.e., make this public now)
• (when applicable) The GitHub Security Advisory is ready to be published now

Note that for those projects that host their repositories on GitHub, the use of GitHub Security Advisories is recommended but is not required.

This section will be completed by the EMO.

CVE: CVE-2021-41042

• All required information is provided
• CVE Assigned
• Pushed to Mitre
• Accepted by Mitre