9.8 - CVE-2023-41034

Executive Summary

Informations
Name	CVE-2023-41034	First vendor Publication	2023-08-31
Vendor	Cve	Last vendor Modification	2023-09-06

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score	9.8
Base Score	9.8	Environmental Score	9.8
impact SubScore	5.9	Temporal Score	9.8
Exploitabality Sub Score	3.9

Attack Vector	Network	Attack Complexity	Low
Privileges Required	None	User Interaction	None
Scope	Unchanged	Confidentiality Impact	High
Integrity Impact	High	Availability Impact	High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score	N/A	Attack Range	N/A
Cvss Impact Score	N/A	Attack Complexity	N/A
Cvss Expoit Score	N/A	Authentication	N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Eclipse Leshan is a device management server and client Java implementation. In affected versions DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) are vulnerable to `XXE Attacks`. A DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. This issue has been fixed in versions 1.5.0 and 2.0.0-M13. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41034

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-611	Information Leak Through XML External Entity File Disclosure

CPE : Common Platform Enumeration

Type	Description	Count
Application	Eclipse Leshan cpe:2.3:a:eclipse:leshan:2.0.0:milestone11:::::: cpe:2.3:a:eclipse:leshan:2.0.0:milestone12:::::: cpe:2.3:a:eclipse:leshan:2.0.0:milestone10:::::: cpe:2.3:a:eclipse:leshan:2.0.0:milestone9:::::: cpe:2.3:a:eclipse:leshan:2.0.0:milestone8:::::: cpe:2.3:a:eclipse:leshan:2.0.0:milestone7:::::: cpe:2.3:a:eclipse:leshan:2.0.0:milestone6:::::: cpe:2.3:a:eclipse:leshan:2.0.0:milestone5:::::: cpe:2.3:a:eclipse:leshan:2.0.0:milestone4:::::: cpe:2.3:a:eclipse:leshan:2.0.0:milestone3:::::: cpe:2.3:a:eclipse:leshan:2.0.0:milestone2:::::: cpe:2.3:a:eclipse:leshan:2.0.0:milestone1:::::: cpe:2.3:a:eclipse:leshan::::::::	13

Sources (Detail)

Source	Url
MISC	https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01... https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c5... https://github.com/eclipse-leshan/leshan/security/advisories/GHSA-wc9j-gc65-3cm7 https://github.com/eclipse-leshan/leshan/wiki/Adding-new-objects#the-lwm2m-model https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Pro...

Source

Url

MISC

https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01...
https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c5...
https://github.com/eclipse-leshan/leshan/security/advisories/GHSA-wc9j-gc65-3cm7
https://github.com/eclipse-leshan/leshan/wiki/Adding-new-objects#the-lwm2m-model
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Pro...

Alert History

If you want to see full details history, please login or register.

Date	Informations
2023-09-07 00:27:20	Multiple Updates
2023-09-01 13:26:30	Multiple Updates
2023-09-01 00:27:19	First insertion

9.8 - CVE-2023-41034

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

CPE : Common Platform Enumeration

Sources (Detail)

Alert History

Global Informations

Open Standards

COMPANY

STANDARDS

RECENT POSTS

MENU