Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN006
_____________________________________________________________________

DATE                : 07/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache SIS versions prior to 1.6.

=====================================================================
https://lists.apache.org/thread/s4ggy3zbtrrn93glgo2vn52lgcxk4bp4
_____________________________________________________________________

CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability
Severity: moderate

Affected versions:

- Apache SIS (org.apache.sis.core:sis-metadata) 0.4 through 1.5

Description:

Improper Restriction of XML External Entity Reference vulnerability
in Apache SIS.


It is possible to write XML files in such a way that, when parsed by
Apache SIS, an XML file reveals to the attacker the content of a local
file on the server running Apache SIS. This vulnerability impacts the
following SIS services:


  *  Reading of GeoTIFF files having the GEO_METADATA tag defined by
the Defense Geospatial Information Working Group (DGIWG).

  *  Parsing of ISO 19115 metadata in XML format.

  *  Parsing of Coordinate Reference Systems defined in the GML format.

  *  Parsing of files in GPS Exchange Format (GPX).


This issue affects Apache SIS from versions 0.4 through 1.5 inclusive.
Users are recommended to upgrade to version 1.6, which will fix the
issue. In the meantime, the security vulnerability can be avoided by
launching Java with the javax.xml.accessExternalDTD system property
sets to a comma-separated list of authorized protocols. For example:


java -Djavax.xml.accessExternalDTD="" ...


Credit:

LEE (finder)


References:

https://sis.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-68280


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================