CVE-2022-41967 - Vulnerability Details - OpenCVE

Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML `SNAPSHOT` versions are being resolved, this vulnerability may be avoided by not trying to resolve `SNAPSHOT` versions.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Hypera	Dragonfly

Configuration 1 [-]

cpe:2.3:a:hypera:dragonfly:0.3.0-snapshot:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3
https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv

History

Mon, 14 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-12-27T23:45:00.786Z

Updated: 2025-04-14T16:23:21.201Z

Reserved: 2022-09-30T16:38:28.949Z

Link: CVE-2022-41967

Vulnrichment

Updated: 2024-08-03T12:56:39.058Z

NVD

Status : Modified

Published: 2022-12-28T00:15:14.953

Modified: 2024-11-21T07:24:10.390

Link: CVE-2022-41967

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-41967", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-09-30T16:38:28.949Z", "datePublished": "2022-12-27T23:45:00.786Z", "dateUpdated": "2025-04-14T16:23:21.201Z"}, "containers": {"cna": {"title": "Improper Restriction of XML External Entity Reference in Dragonfly", "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv"}, {"name": "https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3", "tags": ["x_refsource_MISC"], "url": "https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3"}], "affected": [{"vendor": "HyperaDev", "product": "Dragonfly", "versions": [{"version": ">= 0.3.0-SNAPSHOT, < 0.3.1-SNAPSHOT", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-27T23:45:00.786Z"}, "descriptions": [{"lang": "en", "value": "Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML `SNAPSHOT` versions are being resolved, this vulnerability may be avoided by not trying to resolve `SNAPSHOT` versions."}], "source": {"advisory": "GHSA-6x3m-96qp-mmxv", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:56:39.058Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv"}, {"name": "https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-14T16:21:19.096339Z", "id": "CVE-2022-41967", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T16:23:21.201Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv", "name": "https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3", "name": "https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:56:39.058Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-41967", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-14T16:21:19.096339Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T16:21:28.577Z"}}], "cna": {"title": "Improper Restriction of XML External Entity Reference in Dragonfly", "source": {"advisory": "GHSA-6x3m-96qp-mmxv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "HyperaDev", "product": "Dragonfly", "versions": [{"status": "affected", "version": ">= 0.3.0-SNAPSHOT, < 0.3.1-SNAPSHOT"}]}], "references": [{"url": "https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv", "name": "https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3", "name": "https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML `SNAPSHOT` versions are being resolved, this vulnerability may be avoided by not trying to resolve `SNAPSHOT` versions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-27T23:45:00.786Z"}}}, "cveMetadata": {"cveId": "CVE-2022-41967", "state": "PUBLISHED", "dateUpdated": "2025-04-14T16:23:21.201Z", "dateReserved": "2022-09-30T16:38:28.949Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-12-27T23:45:00.786Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hypera:dragonfly:0.3.0-snapshot:*:*:*:*:*:*:*", "matchCriteriaId": "88CDE274-A9D5-4F75-A56B-5FB1F1B11E74", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML `SNAPSHOT` versions are being resolved, this vulnerability may be avoided by not trying to resolve `SNAPSHOT` versions."}, {"lang": "es", "value": "Dragonfly es una librer\u00eda de gesti\u00f3n de dependencias en tiempo de ejecuci\u00f3n de Java. Dragonfly v0.3.0-SNAPSHOT no configura DocumentBuilderFactory para evitar ataques de entidades externas XML (XXE). Este problema se solucion\u00f3 en 0.3.1-SNAPSHOT. Como soluci\u00f3n alternativa, dado que Dragonfly solo analiza las versiones XML `SNAPSHOT` que se est\u00e1n resolviendo, esta vulnerabilidad se puede evitar al no intentar resolver las versiones `SNAPSHOT`."}], "id": "CVE-2022-41967", "lastModified": "2024-11-21T07:24:10.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-28T00:15:14.953", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/HyperaDev/Dragonfly/commit/9661375e1135127ca6cdb5712e978bec33cc06b3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/HyperaDev/Dragonfly/security/advisories/GHSA-6x3m-96qp-mmxv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security-advisories@github.com", "type": "Secondary"}]}