CVE-2025-31497

{"id": "CVE-2025-31497", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-04-15T20:15:39.270", "references": [{"url": "https://github.com/TEIC/TEIGarage/security/advisories/GHSA-w2hq-3cjc-2x55", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "TEIGarage is a webservice and RESTful service to transform, convert and validate various formats, focussing on the TEI format. The Document Conversion Service contains a critical XML External Entity (XXE) Injection vulnerability in its document conversion functionality. The service processes XML files during the conversion process but fails to disable external entity processing, allowing an attacker to read arbitrary files from the server's filesystem. This vulnerability could allow attackers to read sensitive files from the server's filesystem, potentially exposing configuration files, credentials, or other confidential information. Additionally, depending on the server configuration, this could potentially be used to perform server-side request forgery (SSRF) attacks by making the server connect to internal services. This issue is patched in version 1.2.4. A workaround for this vulnerability includes disabling external entity processing in the XML parser by setting the appropriate security features (e.g., XMLConstants.FEATURE_SECURE_PROCESSING)."}, {"lang": "es", "value": "TEIGarage es un servicio web y RESTful para transformar, convertir y validar diversos formatos, centr\u00e1ndose en el formato TEI. El Servicio de Conversi\u00f3n de Documentos contiene una vulnerabilidad cr\u00edtica de inyecci\u00f3n de entidades externas XML (XXE) en su funcionalidad de conversi\u00f3n. El servicio procesa archivos XML durante el proceso de conversi\u00f3n, pero no deshabilita el procesamiento de entidades externas, lo que permite a un atacante leer archivos arbitrarios del sistema de archivos del servidor. Esta vulnerabilidad podr\u00eda permitir a los atacantes leer archivos confidenciales del sistema de archivos del servidor, exponiendo potencialmente archivos de configuraci\u00f3n, credenciales u otra informaci\u00f3n confidencial. Adem\u00e1s, dependiendo de la configuraci\u00f3n del servidor, esto podr\u00eda utilizarse para realizar ataques de server-side request forgery (SSRF) al hacer que el servidor se conecte a servicios internos. Este problema est\u00e1 corregido en la versi\u00f3n 1.2.4. Un workaround para esta vulnerabilidad consiste en deshabilitar el procesamiento de entidades externas en el analizador XML mediante la configuraci\u00f3n de las funciones de seguridad adecuadas (p. ej., XMLConstants.FEATURE_SECURE_PROCESSING)."}], "lastModified": "2025-04-16T13:25:59.640", "sourceIdentifier": "security-advisories@github.com"}