CVE-2021-32754 - OpenCVE

FlowDroid is a data flow analysis tool. FlowDroid versions prior to 2.9.0 contained an XML external entity (XXE) vulnerability that allowed an attacker who had control over the source/sink definition file in XML format to read files from external locations. In order for this to occur, the XML-based format for sources and sinks had to be used and the attacker had to able control the source/sink definition file. The vulnerability was patched in version 2.9.0. As a workaround, do not allow untrusted entities to control the source/sink definition file.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Flowdroid Project	Flowdroid

Configuration 1 [-]

cpe:2.3:a:flowdroid_project:flowdroid:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/secure-software-engineering/FlowDroid/security/advisories/GHSA-39r7-275f-rvgw

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-07-12T23:00:11

Updated: 2024-08-03T23:33:55.825Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32754

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-07-12T23:15:07.893

Modified: 2021-07-15T16:31:23.857

Link: CVE-2021-32754

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "FlowDroid", "vendor": "secure-software-engineering", "versions": [{"status": "affected", "version": "< 2.9.0"}]}], "descriptions": [{"lang": "en", "value": "FlowDroid is a data flow analysis tool. FlowDroid versions prior to 2.9.0 contained an XML external entity (XXE) vulnerability that allowed an attacker who had control over the source/sink definition file in XML format to read files from external locations. In order for this to occur, the XML-based format for sources and sinks had to be used and the attacker had to able control the source/sink definition file. The vulnerability was patched in version 2.9.0. As a workaround, do not allow untrusted entities to control the source/sink definition file."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-12T23:00:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/secure-software-engineering/FlowDroid/security/advisories/GHSA-39r7-275f-rvgw"}], "source": {"advisory": "GHSA-39r7-275f-rvgw", "discovery": "UNKNOWN"}, "title": "Improper Restriction of XML External Entity Reference in de.tud.sse", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32754", "STATE": "PUBLIC", "TITLE": "Improper Restriction of XML External Entity Reference in de.tud.sse"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "FlowDroid", "version": {"version_data": [{"version_value": "< 2.9.0"}]}}]}, "vendor_name": "secure-software-engineering"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "FlowDroid is a data flow analysis tool. FlowDroid versions prior to 2.9.0 contained an XML external entity (XXE) vulnerability that allowed an attacker who had control over the source/sink definition file in XML format to read files from external locations. In order for this to occur, the XML-based format for sources and sinks had to be used and the attacker had to able control the source/sink definition file. The vulnerability was patched in version 2.9.0. As a workaround, do not allow untrusted entities to control the source/sink definition file."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-611: Improper Restriction of XML External Entity Reference"}]}]}, "references": {"reference_data": [{"name": "https://github.com/secure-software-engineering/FlowDroid/security/advisories/GHSA-39r7-275f-rvgw", "refsource": "CONFIRM", "url": "https://github.com/secure-software-engineering/FlowDroid/security/advisories/GHSA-39r7-275f-rvgw"}]}, "source": {"advisory": "GHSA-39r7-275f-rvgw", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:55.825Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/secure-software-engineering/FlowDroid/security/advisories/GHSA-39r7-275f-rvgw"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32754", "datePublished": "2021-07-12T23:00:11", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:33:55.825Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flowdroid_project:flowdroid:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBA1E3E8-A15D-4665-93BA-234116B52F25", "versionEndExcluding": "2.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FlowDroid is a data flow analysis tool. FlowDroid versions prior to 2.9.0 contained an XML external entity (XXE) vulnerability that allowed an attacker who had control over the source/sink definition file in XML format to read files from external locations. In order for this to occur, the XML-based format for sources and sinks had to be used and the attacker had to able control the source/sink definition file. The vulnerability was patched in version 2.9.0. As a workaround, do not allow untrusted entities to control the source/sink definition file."}, {"lang": "es", "value": "FlowDroid es una herramienta de an\u00e1lisis de flujo de datos. FlowDroid versiones anteriores a 2.9.0 conten\u00edan una vulnerabilidad de tipo XML external entity (XXE) que permit\u00eda a un atacante que tuviera control sobre el archivo de definici\u00f3n de fuente/sumidero en formato XML leer archivos de ubicaciones externas. Para que esto ocurriera, deb\u00eda usarse el formato basado en XML para fuentes y sumideros y el atacante deb\u00eda poder controlar el archivo de definici\u00f3n de fuente/sumidero. La vulnerabilidad fue parcheada en la versi\u00f3n 2.9.0. Como soluci\u00f3n alternativa, no permita que entidades no confiables controlen el archivo de definici\u00f3n de fuente/sumidero"}], "id": "CVE-2021-32754", "lastModified": "2021-07-15T16:31:23.857", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-07-12T23:15:07.893", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/secure-software-engineering/FlowDroid/security/advisories/GHSA-39r7-275f-rvgw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "security-advisories@github.com", "type": "Secondary"}]}