Lucene search

[email protected]CVE-2023-41034

HistoryAug 31, 2023 - 6:15 p.m.

CVE-2023-41034

2023-08-3118:15:09

CWE-611

[email protected]

web.nvd.nist.gov

cve-2023-41034

eclipse leshan

xxe attacks

ddffileparser

defaultddffilevalidator

objectloader

lwm2m

device management

java

vulnerability

upgrade

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.1%

JSON

Eclipse Leshan is a device management server and client Java implementation. In affected versions DDFFileParserandDefaultDDFFileValidator(and soObjectLoader) are vulnerable to XXE Attacks`. A DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. This issue has been fixed in versions 1.5.0 and 2.0.0-M13. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

NVD

Node

eclipse-leshanleshanRange<1.5.0

eclipse-leshanleshanRange2.0.0-M1–2.0.0-M13

CPENameOperatorVersion
eclipse:leshaneclipse leshanlt1.5.0
eclipse:leshaneclipse leshaneq2.0.0

CPE	Name	Operator	Version
eclipse:leshan	eclipse leshan	lt	1.5.0
eclipse:leshan	eclipse leshan	eq	2.0.0

CNA Affected

[
  {
    "vendor": "eclipse-leshan",
    "product": "leshan",
    "versions": [
      {
        "version": "< 1.5.0",
        "status": "affected"
      },
      {
        "version": ">= 2.0.0-M1, < 2.0.0-M13",
        "status": "affected"
      }
    ]
  }
]