Unrated severityNVD Advisory· Published Dec 27, 2022· Updated Apr 14, 2025

Improper Restriction of XML External Entity Reference in Dragonfly

CVE-2022-41967

Description

Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML SNAPSHOT versions are being resolved, this vulnerability may be avoided by not trying to resolve SNAPSHOT versions.

Affected products

Dragonflydb/Dragonflyv5
Range: >= 0.3.0-SNAPSHOT, < 0.3.1-SNAPSHOT

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3mitrex_refsource_MISC
github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxvmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000