Moderate severityNVD Advisory· Published Jul 7, 2022· Updated Aug 4, 2024
CVE-2021-41042
CVE-2021-41042
Description
In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.lyo:lyo-parentMaven | >= 1.0.0, < 5.0.0.Final | 5.0.0.Final |
Affected products
2- The Eclipse Foundation/Eclipse Lyov5Range: 1.0.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-6296-mvgp-27hpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41042ghsaADVISORY
- github.com/eclipse/lyo/commit/a8b15b7f49ca15e55f6699749c39705d21367c6eghsaWEB
- github.com/eclipse/lyo/releases/tag/v5.0.0ghsaWEB
- gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.