ONC code-validator-api up to 1.0.30 XML CodeValidatorApiConfiguration.java vocabularyValidationConfigurations xml external entity reference
A vulnerability classified as problematic was found in ONC code-validator-api up to 1.0.30. This vulnerability affects the function vocabularyValidationConfigurations
of the file src/main/java/org/sitenv/vocabularies/configuration/CodeValidatorApiConfiguration.java of the component XML Handler. The manipulation leads to xml external entity reference. Using CWE to declare the problem leads to CWE-611. The weakness was presented 12/29/2022 as 97. The advisory is available at github.com.
This vulnerability was named CVE-2021-4295. The attack needs to be initiated within the local network. Technical details are available. There is no exploit available. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment.
It is declared as not defined. As 0-day the estimated underground price was around $0-$5k.
Upgrading to version 1.0.31 is able to address this issue. The updated version is ready for download at github.com. The patch is identified as fbd8ea121755a2d3d116b13f235bc8b61d8449af. The bugfix is ready for download at github.com. It is recommended to upgrade the affected component. A possible mitigation has been published before and not just after the disclosure of the vulnerability.