CVE-2024-46984: Gematik Referenzvalidator has an XXE vulnerability that can lead to a Server Side Request Forgery attack
(updated )
The profile location routine in the referencevalidator commons package is vulnerable to XML External Entities attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a Server Side Request Forgery attack.
The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources.
References
- cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- github.com/advisories/GHSA-68j8-fp38-p48q
- github.com/gematik/app-referencevalidator
- github.com/gematik/app-referencevalidator/commit/d6d27613fab7a8dd08534946f29e0c51f319cad6
- github.com/gematik/app-referencevalidator/releases/tag/2.5.1
- github.com/gematik/app-referencevalidator/security/advisories/GHSA-68j8-fp38-p48q
- nvd.nist.gov/vuln/detail/CVE-2024-46984
- owasp.org/www-community/attacks/Server_Side_Request_Forgery
- owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)
- owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)
Detect and mitigate CVE-2024-46984 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →