CVE-2021-41042

Summary

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

Affected Software

VendorProductVersion RangeStatus
The Eclipse FoundationEclipse Lyo1.0.0 < unspecifiedaffected
The Eclipse FoundationEclipse Lyounspecified <= 4.1.0affected

Weaknesses

  • CWE-611: CWE-611

ADP Enrichment

CVE Program Container

Additional References

References