References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also imp

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

CWE-611

CWE-918

https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities

https://github.com/geonetwork/core-geonetwork/pull/8757

https://github.com/geonetwork/core-geonetwork/pull/8803

https://github.com/geonetwork/core-geonetwork/pull/8812

https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc

https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc

https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw