Jaroslawlegierski

**Name of the Vulnerable Software and Affected Versions** Eclipse Leshan versions prior to 1.5.0 Eclipse Leshan versions prior to 2.0.0-M13 **Description** The issue is related to the incorrect restriction of XML links to external objects, which can allow a remote attacker to perform an XXE attack. This affects the `DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) components. Users are impacted only if they parse untrusted DDF files. A DDF file is a LWM2M format used to store LWM2M object descriptions. **Recommendations** For versions prior to 1.5.0, upgrade to version 1.5.0 or later. For versions prior to 2.0.0-M13, upgrade to version 2.0.0-M13 or later. As a temporary workaround, consider creating a `DocumentBuilderFactory` with secure processing features, such as setting `FEATURE SECURE PROCESSING` to `true`, disabling DTDs, and disabling XML inclusions. Additionally, for `DefaultDDFFileValidator`, set `FEATURE SECURE PROCESSING` to `true` and restrict access to external DTDs and schemas.