CVE-2024-55875

CVSS V2 None CVSS V3 None

Description

http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 5.41.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. Version 5.41.0.0 contains a patch for the issue.

Overview

CVE ID
CVE-2024-55875

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-12-12T18:56:59.499Z

Last Modified Date
2024-12-12T18:56:59.499Z

Weakness Enumerations

CWE	URL
CWE-200	http://cwe.mitre.org/data/definitions/200.html
CWE-611	http://cwe.mitre.org/data/definitions/611.html
CWE-918	http://cwe.mitre.org/data/definitions/918.html

References

Reference URL	Reference Tags
https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw	x_refsource_CONFIRM
https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc	x_refsource_MISC
https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-55875
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55875

History

Created	Old Value	New Value	Data Type	Notes
2024-12-13 13:19:47				Added to TrackCVE