CVE-2023-41034

Name of the Vulnerable Software and Affected Versions Eclipse Leshan versions prior to 1.5.0 Eclipse Leshan versions prior to 2.0.0-M13

Description The issue is related to the incorrect restriction of XML links to external objects, which can allow a remote attacker to perform an XXE attack. This affects the DDFFileParser and DefaultDDFFileValidator (and so ObjectLoader) components. Users are impacted only if they parse untrusted DDF files. A DDF file is a LWM2M format used to store LWM2M object descriptions.

Recommendations For versions prior to 1.5.0, upgrade to version 1.5.0 or later. For versions prior to 2.0.0-M13, upgrade to version 2.0.0-M13 or later. As a temporary workaround, consider creating a DocumentBuilderFactory with secure processing features, such as setting FEATURE SECURE PROCESSING to true, disabling DTDs, and disabling XML inclusions. Additionally, for DefaultDDFFileValidator, set FEATURE SECURE PROCESSING to true and restrict access to external DTDs and schemas.