cvedb.io
CVE-2022-41967
HIGH · CVSS 7
EPSS exploitation probability: 0%
Published 2022-12-28T00:15:14.953 · Last modified 2026-06-17T05:04:09.197

Summary

Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML `SNAPSHOT` versions are being resolved, this vulnerability may be avoided by not trying to resolve `SNAPSHOT` versions.

Affected products

hypera — dragonfly

Does this affect you?

Add your gear to cvedb and we'll alert you only when hypera ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.