Vulnerability Description
FlowDroid is a data flow analysis tool. FlowDroid versions prior to 2.9.0 contained an XML external entity (XXE) vulnerability that allowed an attacker who had control over the source/sink definition file in XML format to read files from external locations. In order for this to occur, the XML-based format for sources and sinks had to be used and the attacker had to able control the source/sink definition file. The vulnerability was patched in version 2.9.0. As a workaround, do not allow untrusted entities to control the source/sink definition file.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Flowdroid Project | Flowdroid | < 2.9.0 |
Related Weaknesses (CWE)
References
- https://github.com/secure-software-engineering/FlowDroid/security/advisories/GHSThird Party Advisory
- https://github.com/secure-software-engineering/FlowDroid/security/advisories/GHSThird Party Advisory
FAQ
What is CVE-2021-32754?
CVE-2021-32754 is a vulnerability with a CVSS score of 5.3 (MEDIUM). FlowDroid is a data flow analysis tool. FlowDroid versions prior to 2.9.0 contained an XML external entity (XXE) vulnerability that allowed an attacker who had control over the source/sink definition ...
How severe is CVE-2021-32754?
CVE-2021-32754 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32754?
Check the references section above for vendor advisories and patch information. Affected products include: Flowdroid Project Flowdroid.