CVE-2023-3276

Published: Jun 15, 2023Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The exploit has been disclosed to the public and may be used. VDB-231626 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected (1)

Products: Dromara: Hutool

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dromara Hutool	Up to 5.8.19

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (6)

https://fbdhhhh47.github.io/2023/06/06/hutool-XXE/

Source: cna@vuldb.com

Exploit

https://vuldb.com/?ctiid.231626

Source: cna@vuldb.com

Permissions RequiredThird Party Advisory

https://vuldb.com/?id.231626

Source: cna@vuldb.com

Third Party Advisory

https://fbdhhhh47.github.io/2023/06/06/hutool-XXE/

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

https://vuldb.com/?ctiid.231626

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredThird Party Advisory

https://vuldb.com/?id.231626

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.