Vulnerability Details : CVE-2021-4295
A vulnerability classified as problematic was found in ONC code-validator-api up to 1.0.30. This vulnerability affects the function vocabularyValidationConfigurations of the file src/main/java/org/sitenv/vocabularies/configuration/CodeValidatorApiConfiguration.java of the component XML Handler. The manipulation leads to xml external entity reference. Upgrading to version 1.0.31 is able to address this issue. The name of the patch is fbd8ea121755a2d3d116b13f235bc8b61d8449af. It is recommended to upgrade the affected component. VDB-217018 is the identifier assigned to this vulnerability.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2021-4295
- cpe:2.3:a:healthit:code-validator-api:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-4295
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-4295
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.1
|
3.4
|
VulDB | |
5.5
|
MEDIUM | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.1
|
3.4
|
VulDB | 2024-02-29 |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2021-4295
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by:
- cna@vuldb.com (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2021-4295
-
https://vuldb.com/?ctiid.217018
CVE-2021-4295 | ONC code-validator-api XML CodeValidatorApiConfiguration.java vocabularyValidationConfigurations xml external entity reference (ID 97)Third Party Advisory
-
https://github.com/onc-healthit/code-validator-api/commit/fbd8ea121755a2d3d116b13f235bc8b61d8449af
Merge pull request #97 from radiovideo/XXE-vulnerability-fix · onc-healthit/code-validator-api@fbd8ea1 · GitHubPatch;Third Party Advisory
-
https://vuldb.com/?id.217018
CVE-2021-4295 | ONC code-validator-api XML CodeValidatorApiConfiguration.java vocabularyValidationConfigurations xml external entity reference (ID 97)Third Party Advisory
-
https://github.com/onc-healthit/code-validator-api/releases/tag/1.0.31
Release SITE 3.1.50 · onc-healthit/code-validator-api · GitHubThird Party Advisory
-
https://github.com/onc-healthit/code-validator-api/pull/97
Fix DocumentBuilderFactory XXE vulnerability by radiovideo · Pull Request #97 · onc-healthit/code-validator-api · GitHubThird Party Advisory
Jump to