Description
In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.
References (1)
Core 1
Core References
Various Sources x_refsource_confirm
https://bugs.eclipse.org/580542
Scores
CVSS v3
5.3
EPSS
0.0021
EPSS Percentile
42.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (1)
eclipse/sphinx
0.7.0 - 0.13.1
Published
Aug 16, 2022
Tracked Since
Feb 18, 2026