Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure that defaults for XMLInputFactory have expansion of external parsed general entities disabled [CVE-2016-3720] #190

Closed
cowtowncoder opened this issue Apr 14, 2016 · 6 comments
Closed

Ensure that defaults for XMLInputFactory have expansion of external parsed general entities disabled [CVE-2016-3720] #190

cowtowncoder opened this issue Apr 14, 2016 · 6 comments
Labels
cve Issues related to public CVEs (security vuln reports)
Milestone
2.7.4

Comments

@cowtowncoder
Copy link
Member

To reduce likelihood of malicious XXE, let's ensure that XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES is disabled by default when instantiate by Jackson.
@cowtowncoder cowtowncoder modified the milestones: 2.7.0, 2.7.4 Jun 15, 2016
This was referenced Jun 15, 2016
Closed
Closed
@astellingwerf
Copy link

Will you update the corresponding entry in the NVD with fix versions?

@cowtowncoder
Copy link
Member Author

@astellingwerf I had nothing to do with filing CVEs in question nor have access. I have tried contacting Red Hat and we'll see where that leads. If anyone has contacts to follow up with that would be helpful.

@cowtowncoder cowtowncoder mentioned this issue Jun 24, 2016
Closed
@emartinezs44 emartinezs44 mentioned this issue Jun 30, 2016
Closed
@brettcave
Copy link

Have also followed up with RH via their ticket that filed the vulnerability - https://bugzilla.redhat.com/show_bug.cgi?id=1328427
It may be due to the ticket status still showing as NEW and need a resolution and/or re-testing.

@cowtowncoder
Copy link
Member Author

@brettcave thank you for your help with bugzilla entry. 2.7.4 is the version here; and 2.8.0 includes fixed default settings.

@brettcave
Copy link

Thanks @cowtowncoder . Both 2.7.4 and 2.8.0 still fail CVE / OWASP checks as the database needs to be updated, waiting on RH to update it, assuming it was logged based on their bugzilla issue.

@limansky limansky mentioned this issue Jan 31, 2017
Closed
@cowtowncoder
Copy link
Member Author

FWTW this is related to http://www.cvedetails.com/cve/CVE-2016-3720

@cowtowncoder cowtowncoder mentioned this issue May 20, 2017
Closed
@billoneil billoneil mentioned this issue Jan 13, 2022
Closed
@cowtowncoder cowtowncoder changed the title Ensure that defaults for XMLInputFactory have expansion of external parsed general entities disabled Ensure that defaults for XMLInputFactory have expansion of external parsed general entities disabled [CVE-2016-3720] Oct 22, 2022
@cowtowncoder cowtowncoder added the cve Issues related to public CVEs (security vuln reports) label Oct 22, 2022
cowtowncoder added a commit that referenced this issue Oct 22, 2022
@cowtowncoder
Update release notes wrt #190
5ba2581
@mr-zepol mr-zepol mentioned this issue Jun 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cve Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.7.4
Development

No branches or pull requests
3 participants
@cowtowncoder @brettcave @astellingwerf