#Pleroma Security Release 2.5.4
Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitrary files from the server's filesystem.
https://pleroma.social/announcements/2023/08/05/pleroma-security-release-2.5.4/
Discussion
Also it was reported by nostr:npub1j3pf2vg36vgxtmxjxuxcu5ynh5krrvl55qmy9rfx98d8pp4cawcsvzm7q2 so thanks a lot!
Hello friends, I invite you to check this blog post that I found after receiving the report:
https://vuln.be/post/xxe-in-erlang-and-elixir/
Apparently the bundled Erlang XML library xmerl along with a few other Erlang/Elixir XML parsers are vulnerable by default and we had no clue.
At least we are now in the same company as Postgres who also has this vulnerability in 2012 🥲
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3489
nostr:npub1ysufjjd485tftr4wy2a83fqyqvtfq0yn820gl8vl6hcsdz8uv2hskx2jyl how this can be exploited?
nostr:npub1ysufjjd485tftr4wy2a83fqyqvtfq0yn820gl8vl6hcsdz8uv2hskx2jyl dawg another one?