SYNC-2021-2809 - XML eXternal Entity (XXE) vulnerability
Severity: Medium2021-10-18
Abstract
The logback-core package is vulnerable to XML eXternal Entity (XXE) attacks. The buildSaxParser() method in the SaxEventRecorder class processes malicious external entities by default due to an unsafe XML parser configuration.
The Oxygen XML products incorporates the logback-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Editor 23.1 and older versions | Medium | Oxygen XML Editor 24.0 |
Oxygen XML Developer 23.1 and older versions | Medium | Oxygen XML Developer 24.0 |
Oxygen XML Author 23.1 and older versions | Medium | Oxygen XML Author 24.0 |
Oxygen Publishing Engine 23.1 and older | Medium | Oxygen Publishing Engine 24.0
Oxygen Publishing Engine 23.1 build 2021121413 |