Description

EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities.

Remediation

References

https://www.kb.cert.org/vuls/id/779243

https://www.securityfocus.com/bid/94864/

Related Vulnerabilities

CVE-2018-18628 Vulnerability in maven package ro.pippo:pippo-session

CVE-2022-31190 Vulnerability in maven package org.dspace:dspace-xmlui

CVE-2019-19771 Vulnerability in npm package path-to-regxep

CVE-2022-23458 Vulnerability in maven package org.webjars.npm:tui-grid

CVE-2017-3164 Vulnerability in maven package org.apache.solr:solr-core

Severity

High

Classification

CWE-611 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Third Party Advisory US Government Resource VDB Entry