CVE-2021-43090: 
Java vulnerability analysis and mitigation

An XML External Entity (XXE) vulnerability was discovered in soa-model before version 1.6.4, specifically affecting the WSDLParser function. The vulnerability was identified and tracked as CVE-2021-43090. This security issue was reported on October 25, 2021, and was addressed with the release of version 1.6.4 (GitHub Issue, NVD).

The vulnerability exists due to insecure XML parsing configuration in the WSDLParser function. The issue stems from the default XMLInputFactory settings that allow loading of DTD and external entities. The vulnerability is present in two specific files: core/src/main/groovy/com/predic8/schema/Include.groovy and core/src/main/groovy/com/predic8/soamodel/AbstractParser.groovy. The CVSS v3.1 base score for this vulnerability is 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The XXE vulnerability could allow attackers to read arbitrary files on the server, perform server-side request forgery (SSRF) attacks, or potentially execute arbitrary code when parsing XML input through the WSDLParser function (GitHub Issue).

The vulnerability was fixed in version 1.6.4 by disabling external entity resolution in the XML parser. The fix involves setting XMLInputFactory properties ISREPLACINGENTITYREFERENCES and ISSUPPORTINGEXTERNALENTITIES to false (GitHub Commit). Users are advised to upgrade to version 1.6.4 or later to address this vulnerability.