Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Eclipse Lyo by The Eclipse Foundation

    CVE-2021-41042 (GCVE-0-2021-41042)

    Vulnerability from nvd – Published: 2022-07-07 20:55 – Updated: 2024-08-04 02:59
    VLAI
    Summary
    In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    The Eclipse Foundation Eclipse Lyo Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 4.1.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T02:59:31.150Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Eclipse Lyo",
              "vendor": "The Eclipse Foundation",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "4.1.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-07T20:55:10.000Z",
            "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
            "shortName": "eclipse"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@eclipse.org",
              "ID": "CVE-2021-41042",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Eclipse Lyo",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "4.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "The Eclipse Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": 4.9,
                "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C/CDP:L/TD:ND/CR:ND/IR:ND/AR:ND",
                "version": "2.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-611"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287",
                  "refsource": "CONFIRM",
                  "url": "https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "assignerShortName": "eclipse",
        "cveId": "CVE-2021-41042",
        "datePublished": "2022-07-07T20:55:10.000Z",
        "dateReserved": "2021-09-13T00:00:00.000Z",
        "dateUpdated": "2024-08-04T02:59:31.150Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41042 (GCVE-0-2021-41042)

    Vulnerability from cvelistv5 – Published: 2022-07-07 20:55 – Updated: 2024-08-04 02:59
    VLAI
    Summary
    In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    The Eclipse Foundation Eclipse Lyo Affected: 1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 4.1.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T02:59:31.150Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Eclipse Lyo",
              "vendor": "The Eclipse Foundation",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "4.1.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-07T20:55:10.000Z",
            "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
            "shortName": "eclipse"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@eclipse.org",
              "ID": "CVE-2021-41042",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Eclipse Lyo",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "4.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "The Eclipse Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": 4.9,
                "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C/CDP:L/TD:ND/CR:ND/IR:ND/AR:ND",
                "version": "2.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-611"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287",
                  "refsource": "CONFIRM",
                  "url": "https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "assignerShortName": "eclipse",
        "cveId": "CVE-2021-41042",
        "datePublished": "2022-07-07T20:55:10.000Z",
        "dateReserved": "2021-09-13T00:00:00.000Z",
        "dateUpdated": "2024-08-04T02:59:31.150Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }