Miggo Logo
Miggo Vulnerability Database
CVE-2023-46502

CVE-2023-46502: OpenCRX allows a remote attacker to execute arbitrary code via a crafted request

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-46502
GHSA ID
GHSA-q74f-rf27-8hxc
EPSS Score
0.73478%
CWE
CWE-611
Published
10/31/2023
Updated
11/6/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.opencrx:opencrx-clientmaven< 5.3.05.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch explicitly modifies the getDocumentBuilder() method to add XXE protections (disallowDoctypeDecl, disable external entities/DTD loading). The CWE-611 mapping and advisory descriptions confirm this was an XXE/SSRF vector. The unpatched version lacked these security flags, making XML parsing vulnerable to external entity injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* in Op*n*RX v.*.*.* *llows * r*mot* *tt**k*r to *x**ut* *r*itr*ry *o** vi* * *r**t** r*qu*st.

Reasoning

T** p*t** *xpli*itly mo*i*i*s t** `**t*o*um*nt*uil**r()` m*t*o* to *** XX* prot**tions (*is*llow*o*typ****l, *is**l* *xt*rn*l *ntiti*s/*T* lo**in*). T** *W*-*** m*ppin* *n* **visory **s*riptions *on*irm t*is w*s *n XX*/SSR* v**tor. T** unp*t**** v*rs