oss-sec mailing list archives
CVE request - XStream: XXE vulnerability
From: Jörg Schaible <joerg.schaible () gmx de>
Date: Fri, 25 Mar 2016 16:04:38 +0100
Hi all, XStream (x-stream.github.io) is a Java library to marshal Java objects into XML and back. For this purpose it supports a lot of different XML parsers. Some of those can also process external entities which was enabled by default. An attacker could therefore provide manipulated XML as input to access data on the file system, see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing Since XStream 1.4.9 all parsers are configured to ignore external entities by default as far as such behavior is configurable: http://x-stream.github.io/changes.html#1.4.9 Luckily XStream's default parser Xpp3 does not parse entities at all. However, all application that use XStream >= 1.4.8 explicitly with parsers based on StAX, W3C DOM, Dom4J, JDOM or JDOM2 were affected unless the parsers had been properly configured manually. Applications using XOM or explicitly BEA's old StAX reference parser are still vulnerable, we found no way to deactivate processing of external entities for those two. Regards, Jörg On behalf of the XStream community
Current thread:
- CVE request - XStream: XXE vulnerability Jörg Schaible (Mar 25)
- Re: CVE request - XStream: XXE vulnerability cve-assign (Mar 28)