CVE-2023-41034

CVSS v3.1 9.8 (Critical)

EPSS 0.08 % (35^th)

Affected Products 1

Advisories 1

Eclipse Leshan is a device management server and client Java implementation. In affected versions DDFFileParserandDefaultDDFFileValidator(and soObjectLoader) are vulnerable toXXE Attacks`. A DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. This issue has been fixed in versions 1.5.0 and 2.0.0-M13. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Weaknesses

CWE-611: Improper Restriction of XML External Entity Reference

CVE Status: PUBLISHED
CNA: GitHub, Inc.
Published Date: 2023-08-31 18:15:09
(12 months ago)
Updated Date: 2023-09-06 19:02:03
(12 months ago)

Affected Products

Eclipse

Leshan

Configuration #1

	CPE23	Up To
Eclipse Leshan prior 1.5.0 version	cpe:2.3:a:eclipse:leshan	< 1.5.0
Eclipse Leshan 2.0.0 Milestone1	cpe:2.3:a:eclipse:leshan:2.0.0:milestone1
Eclipse Leshan 2.0.0 Milestone10	cpe:2.3:a:eclipse:leshan:2.0.0:milestone10
Eclipse Leshan 2.0.0 Milestone11	cpe:2.3:a:eclipse:leshan:2.0.0:milestone11
Eclipse Leshan 2.0.0 Milestone12	cpe:2.3:a:eclipse:leshan:2.0.0:milestone12
Eclipse Leshan 2.0.0 Milestone2	cpe:2.3:a:eclipse:leshan:2.0.0:milestone2
Eclipse Leshan 2.0.0 Milestone3	cpe:2.3:a:eclipse:leshan:2.0.0:milestone3
Eclipse Leshan 2.0.0 Milestone4	cpe:2.3:a:eclipse:leshan:2.0.0:milestone4
Eclipse Leshan 2.0.0 Milestone5	cpe:2.3:a:eclipse:leshan:2.0.0:milestone5
Eclipse Leshan 2.0.0 Milestone6	cpe:2.3:a:eclipse:leshan:2.0.0:milestone6
Eclipse Leshan 2.0.0 Milestone7	cpe:2.3:a:eclipse:leshan:2.0.0:milestone7
Eclipse Leshan 2.0.0 Milestone8	cpe:2.3:a:eclipse:leshan:2.0.0:milestone8
Eclipse Leshan 2.0.0 Milestone9	cpe:2.3:a:eclipse:leshan:2.0.0:milestone9