Jdom2 XXE injection vulnerability #469
Comments
|
We disallow Doctype declarations by default. So this is only an issuewhen someone enables Doctype declarations. |
|
@PatrickGotthard Would you mind going into more detail on how somebody would enable Doctype declarations in Rome, so we could check if we do (on purpose or by error)? |
|
Have a look at #203 |
|
@PatrickGotthard Thanks for the clarification. That only applies when reading feeds, right? Are there any risks involved when creating feeds, e.g. disclosing files via: <?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo> |
|
Only when you create an XML bomb yourself and consume it yourself afterwards :D |
PatrickGotthard
added a commit
that referenced
this issue
Jul 6, 2021
|
I've fixed the security issue and published version 1.16.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
jdom2 is vulnerable to XML External Entity (XXE) Injection. See:
jdom2 will most likely not be updated, an alternative should be found as already suggested in #455
The text was updated successfully, but these errors were encountered: