Exposure of Sensitive Information to an Unauthorized Actor in Direct Web Remoting
Moderate severity
GitHub Reviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Jan 27, 2023
Package
Affected versions
< 2.0.11
>= 3.0.M1, <= 3.0.RC2
Patched versions
2.0.11
3.0.RC3
Description
Published by the National Vulnerability Database
Nov 24, 2014
Published to the GitHub Advisory Database
May 17, 2022
Reviewed
Jul 6, 2022
Last updated
Jan 27, 2023
The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
References