Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML SNAPSHOT versions are being resolved, this vulnerability may be avoided by not trying to resolve SNAPSHOT versions.
Weakness
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Dragonfly | Hypera | 0.3.0-snapshot (including) | 0.3.0-snapshot (including) |
Potential Mitigations
Related Attack Patterns
References
- https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3
- https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv
- https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3
- https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv