Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13dnB2LTg1MjQtd2c2eM4AAXRX
mxGraph vulnerable to XXE attacks
In mxGraphViewImageReader.java
in mxGraph before 3.7.6, the SAXParserFactory
instance in convert()
is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by /ServerView
.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13dnB2LTg1MjQtd2c2eM4AAXRX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00679
EPSS Percentile: 0.80506
Identifiers: GHSA-wvpv-8524-wg6x, CVE-2017-18197
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-18197
- https://github.com/jgraph/mxgraph/issues/124
- https://lists.debian.org/debian-lts-announce/2018/03/msg00002.html
- https://github.com/jgraph/mxgraph/commit/97b3718db64a6ca9afb3382de2926eb8da660052
- https://github.com/advisories/GHSA-wvpv-8524-wg6x
Blast Radius: 23.5
Affected Packages
npm:mxgraph
Dependent packages: 83Dependent repositories: 251
Downloads: 119,171 last month
Affected Version Ranges: < 3.7.6
Fixed in: 3.7.6
All affected versions: 3.7.1, 3.7.3, 3.7.4, 3.7.5
All unaffected versions: 3.7.6, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 3.9.8, 3.9.11, 3.9.12, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2