CVE-2020-25020

Advisory

MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

* Fix CVE-2020-25020: XXE vulnerability (with thanks to Sangeetha Rajesh S, ZOHO Corporation)
* Import milestone constraints from Asta schedules (Contributed by Dave McKay)
* Handle elapsed durations in Asta schedules (Based on a contribution by Dave McKay)
* Correctly determine the constraint type for tasks with ALAP placement with or without predecessors when reading from from Asta schedules (Contributed by Dave McKay)
* Gracefully handle a missing table name when reading an XER file.
* Gracefully handle a unexpected calendar data when reading an XER file.
* Correctly handle XER files with multi-byte character encoding.
* Import all schedule and leveling options from XER files.
* Ensure project calendars are read from PMXML files.
* Added readAll methods to PrimaveraPMFileReader to allow all projects contained in a PMXML file to be read in a single pass.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25020
• https://github.com/joniles/mpxj/pull/178/commits/c3e457f7a16facfe563eade82b0fa8736a8c96f9
• https://www.oracle.com/security-alerts/cpujan2021.html