CVE-2022-41967

2022-12-2800:15:14

CWE-611

[email protected]

web.nvd.nist.gov

dragonfly

java

runtime

dependency

management

library

xxe

attacks

vulnerability

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

25.7%

JSON

Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML SNAPSHOT versions are being resolved, this vulnerability may be avoided by not trying to resolve SNAPSHOT versions.

Affected configurations

Vulners

NVD

Node

hyperadevdragonflyRange0.3.0-SNAPSHOT–0.3.1-SNAPSHOT

CPENameOperatorVersion
hypera:dragonflyhypera dragonflyeq0.3.0-snapshot

CPE	Name	Operator	Version
hypera:dragonfly	hypera dragonfly	eq	0.3.0-snapshot

CNA Affected

[
  {
    "vendor": "HyperaDev",
    "product": "Dragonfly",
    "versions": [
      {
        "version": ">= 0.3.0-SNAPSHOT, < 0.3.1-SNAPSHOT",
        "status": "affected"
      }
    ]
  }
]