CRITICAL🇵🇱 Wersja polska

CVE-2024-51136

CVSS 9.8v3.1pub. 2024-11-04upd. 2024-11-06

An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file.

🤖 AI Analysis
How it works

An attacker provides a crafted XML file containing references to external entities (External Entity). The XML parser used in the Dmoz2CSV component processes these entities without proper restrictions, leading to disclosure of local files or network resources (CWE-611). Additionally, the vulnerability includes CWE-91 (XML Injection), which may enable injection of malicious XML content and lead to arbitrary code execution (RCE).

Impact

An attacker can gain unauthorized access to sensitive files and system resources or execute arbitrary code on the server processing a malicious XML file.

Mitigation & patch

Apply patches available from the vendor according to the references. Additionally, it is recommended to avoid processing untrusted XML files by the Dmoz2CSV component until the patch is applied, and to consider disabling external XML entity (XXE) support at the XML parser configuration level.

Who is affected

OpenIMAJ v1.3.10, Dmoz2CSV component (Maven artifact: org.openimaj.tools/WebTools)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Openimaj

    APP
    Openimaj
    1.3.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEXXE
CWE
References