Skip to content

dssp vulnerable to Improper Restriction of XML External Entity Reference

Critical severity GitHub Reviewed Published Jan 6, 2023 to the GitHub Advisory Database • Updated Oct 20, 2023

Package

maven be.e_contract.dssp:dssp-client (Maven)

Affected versions

< 1.3.2

Patched versions

1.3.2

Description

A vulnerability classified as problematic was found in e-Contract dssp up to 1.3.1. Affected by this vulnerability is the function checkSignResponse of the file dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java. The manipulation leads to xml external entity reference. Upgrading to version 1.3.2 can address this issue. The name of the patch is ec4238349691ec66dd30b416ec6eaab02d722302. It is recommended to upgrade the affected component. The identifier VDB-217549 was assigned to this vulnerability.

References

Published by the National Vulnerability Database Jan 6, 2023
Published to the GitHub Advisory Database Jan 6, 2023
Reviewed Jan 12, 2023
Last updated Oct 20, 2023

Severity

Critical
9.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2016-15011

GHSA ID

GHSA-77cc-w3wm-6whp

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.