PT-2021-19907 · Flowdroid · Flowdroid

Notwo1F

Published

2021-07-12

Updated

2021-07-15

CVE-2021-32754

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions FlowDroid versions prior to 2.9.0

Description The issue allows an attacker who has control over the source/sink definition file in XML format to read files from external locations. This occurs when the XML-based format for sources and sinks is used and the attacker has control over the source/sink definition file. The vulnerability is related to an XML external entity (XXE) issue.

Recommendations For versions prior to 2.9.0, update to version 2.9.0 to resolve the issue. As a temporary workaround, do not allow untrusted entities to control the source/sink definition file.

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2021-32754

GHSA-39R7-275F-RVGW

Affected Products

Flowdroid

PT-2021-19907 · Flowdroid · Flowdroid

CVE-2021-32754

Weakness Enumeration

Related Identifiers

Affected Products

References · 4