Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apicurio/apicurio-registry: apicurio-registry: xml entity-expansion denial of service via internal dtd subset
Vulnerability Description
A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
DTD中递归实体索引的不恰当限制(XML实体扩展)
Vulnerability Title
Red Hat Apicurio Registry 资源管理错误漏洞
Vulnerability Description
Red Hat Apicurio Registry是美国Red Hat公司的一款用于管理与版本控制API模式与事件数据结构的开源注册中心。 Red Hat Apicurio Registry存在资源管理错误漏洞,该漏洞源于DocumentBuilderAccessor未禁用DOCTYPE声明且未启用FEATURE_SECURE_PROCESSING,具有artifact-write权限的攻击者可上传包含内部实体扩展有效载荷(billion-laughs变体)的XML文档,导致CPU和堆耗尽。
CVSS Information
N/A
Vulnerability Type
N/A