Impact
FlowDroid contained an XXE vulnerability that allowed an attacker who had control over the source/sink definition file in XML fomat to read files from external locations. The following conditions all had to be met:
- The XML-based format for sources and sinks is used
- The attacker can control the source/sink definition file
Patches
Upgrade to version 2.9.0 (proper release, not earlier snapshot versions)
Workarounds
Do not allow untrusted entities to control the source/sink definition file.
References
None.
Impact
FlowDroid contained an XXE vulnerability that allowed an attacker who had control over the source/sink definition file in XML fomat to read files from external locations. The following conditions all had to be met:
Patches
Upgrade to version 2.9.0 (proper release, not earlier snapshot versions)
Workarounds
Do not allow untrusted entities to control the source/sink definition file.
References
None.