CVE-2021-41042

Improper Restriction of XML External Entity Reference in maven/org.eclipse.lyo/lyo-parent

Identifiers

GHSA-6296-mvgp-27hp, CVE-2021-41042

Package Slug

maven/org.eclipse.lyo/lyo-parent

Vulnerability

Improper Restriction of XML External Entity Reference

Description

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

Affected Versions

All versions starting from 1.0.0 up to 4.1.0

Solution

Upgrade to version 5.0.0.Final or above.

Last Modified

2022-07-26

source