
Cloud Vulnerability DB
A community-led vulnerabilities database
ClassGraph before version 4.8.112 contained a vulnerability where it was not resistant to XML eXternal Entity (XXE) attacks. The vulnerability was discovered and fixed in August 2021, with CVE-2021-47621 being assigned in June 2024. The vulnerability affected the library's functionality for reading pom.xml files during version detection (GitHub PR).
The vulnerability was related to insecure XML parsing when reading pom.xml files during the library's version detection process. The issue was fixed by implementing secure versions of DocumentBuilderFactory and XPATHFactory to prevent XXE attacks. The fix included setting various security features such as disabling XInclude, enabling secure processing, disabling external DTD access, and preventing external entity references (GitHub Commit). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).
The vulnerability could potentially allow an attacker to execute XML External Entity (XXE) attacks when the library processes XML files. This type of attack could lead to unauthorized disclosure of sensitive information, though the actual impact was limited as it required access to the build system and presence of both ClassGraph.class binary file and pom.xml Maven config file (GitHub Discussion).
The vulnerability was fixed in ClassGraph version 4.8.112. Users are advised to upgrade to this version or later to receive the security fix. The fix implements secure XML parsing configurations that prevent XXE attacks (GitHub Release).
Source: This report was generated using AI
Free Vulnerability Assessment
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
"We know that if Wiz identifies something as critical, it actually is."