Description
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.
Remediation
References
https://issues.apache.org/jira/browse/JELLY-293
http://www.securitytracker.com/id/1039444
http://www.securityfocus.com/bid/101052
https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73%40%3Cdev.commons.apache.org%3E
Related Vulnerabilities
CVE-2012-6153 Vulnerability in maven package org.apache.httpcomponents:httpclient
CVE-2022-24820 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web
CVE-2016-7103 Vulnerability in maven package org.webjars.npm:jquery-ui
CVE-2023-45819 Vulnerability in npm package tinymce
CVE-2023-29519 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui