CVE-2024-55887

Name of the Vulnerable Software and Affected Versions Ucum-java versions prior to 1.0.9

Description The issue is related to XML external entity injections in the UcumEssenceService. This occurs when XML parsing is performed, allowing a malicious DTD tag in a processed XML file to produce XML containing data from the host system. This impacts scenarios where Ucum-java is used within a host and external clients can submit XML.

Recommendations For versions prior to 1.0.9, update to release 1.0.9 to fix the vulnerability. As a temporary workaround, ensure that the source XML for instantiating UcumEssenceService is trusted.