CVE-2023-41034

DDFFileParser in eclipse leshan is vulnerable to XXE Attacks

Description

Eclipse Leshan is a device management server and client Java implementation. In affected versions DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) are vulnerable to `XXE Attacks`. A DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. This issue has been fixed in versions 1.5.0 and 2.0.0-M13. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.11%
Third-Party Advisory github.com
Affected: eclipse-leshan leshan
Published at:
Updated at:

References

Link Tags
https://github.com/eclipse-leshan/leshan/security/advisories/GHSA-wc9j-gc65-3cm7 mitigation third party advisory
https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013 patch
https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c patch
https://github.com/eclipse-leshan/leshan/wiki/Adding-new-objects#the-lwm2m-model product
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing not applicable

Frequently Asked Questions

What is the severity of CVE-2023-41034?
CVE-2023-41034 has been scored as a medium severity vulnerability.
How to fix CVE-2023-41034?
To fix CVE-2023-41034, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-41034 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-41034 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-41034?
CVE-2023-41034 affects eclipse-leshan leshan.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.