Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable SUPPORT_DTD for XMLInputFactory unless explicitly overridden [CVE-2016-7051] #211

Closed
cowtowncoder opened this issue Sep 22, 2016 · 5 comments
Closed

Disable SUPPORT_DTD for XMLInputFactory unless explicitly overridden [CVE-2016-7051] #211

cowtowncoder opened this issue Sep 22, 2016 · 5 comments
Labels
cve Issues related to public CVEs (security vuln reports)
Milestone
2.7.8

Comments

@cowtowncoder
Copy link
Member

Although XML specification defines DTD handling as part of core xml processing, for most XML use cases for networking systems DTDs are either not used, or are minority use case. Conversely use of DTDs is often actually an anti-pattern considering access restrictions and overhead.
With this in mind, it would probably make sense to change defaults to disable DTD processing and just allow changing settings to enable it for cases where it is needed, as opposed to the other way around.

Compared to other default changes it would probably make sense to actually add a specific feature; but if not possible, then just simple setter for XmlMapper. Regardless it'd be easier to do this than to expect user to pre-configure XMLInputFactory.
@cowtowncoder cowtowncoder changed the title Default changes for XMLInputFactory, consider disabling DTD handling Disable SUPPORT_DTD for XMLInputFactory unless explicitly overridden Sep 27, 2016
@cowtowncoder cowtowncoder added this to the 2.7.8 milestone Sep 27, 2016
@cowtowncoder
Copy link
Member Author

cowtowncoder commented Nov 10, 2016
edited
Loading

Was implemented for '2.7.8' and '2.8.4'.

@cowtowncoder cowtowncoder mentioned this issue Apr 26, 2017
Closed
@cowtowncoder
Copy link
Member Author

CVE: http://www.cvedetails.com/cve/CVE-2016-7051/

@cowtowncoder cowtowncoder mentioned this issue May 20, 2017
Closed
@cowtowncoder
Copy link
Member Author

Update at https://nvd.nist.gov/vuln/detail/CVE-2016-7051 -- now includes information on fixed-in version.

@dreamuth
Copy link

Thanks for fixing this. But still https://nvd.nist.gov/vuln/detail/CVE-2016-7051 is not updated with the fixed-in version at Vulnerable software and versions.

@cowtowncoder
Copy link
Member Author

I sent an update request with information, but I do not have access to change any of it directly.
So I am not quite sure what to do there. Help would be appreciated.

@cowtowncoder cowtowncoder mentioned this issue Oct 22, 2022
Closed
@cowtowncoder cowtowncoder changed the title Disable SUPPORT_DTD for XMLInputFactory unless explicitly overridden Disable SUPPORT_DTD for XMLInputFactory unless explicitly overridden [CVE-2016-7051] Oct 22, 2022
@cowtowncoder cowtowncoder added the cve Issues related to public CVEs (security vuln reports) label Oct 22, 2022
cowtowncoder added a commit that referenced this issue Oct 22, 2022
@cowtowncoder
Update issue entry for #211 in release notes
6a1013a
@cxronen cxronen mentioned this issue Mar 15, 2023
Open
This was referenced Apr 13, 2023
Open
Open
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
This was referenced May 25, 2023
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cve Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.7.8
Development

No branches or pull requests
2 participants
@cowtowncoder @dreamuth