CVE-2022-41967
HIGHDragonfly 0.3.0-SNAPSHOT - XML External Entity Injection
Title source: llmDescription
Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML `SNAPSHOT` versions are being resolved, this vulnerability may be avoided by not trying to resolve `SNAPSHOT` versions.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv
Patch, Third Party Advisory x_refsource_misc
https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3
Scores
CVSS v3
7.0
EPSS
0.0056
EPSS Percentile
41.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (1)
hypera/dragonfly
0.3.0-snapshot
Published
Dec 28, 2022
Tracked Since
Feb 18, 2026