Dragonfly v0.3.0-SNAPSHOT XML External Entity (XXE) Attack Vulnerability

Dragonfly v0.3.0-SNAPSHOT XML External Entity (XXE) Attack Vulnerability

CVE-2022-41967 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML `SNAPSHOT` versions are being resolved, this vulnerability may be avoided by not trying to resolve `SNAPSHOT` versions.

Learn more about our External Network Penetration Testing.