`DOMDeserializer`: setExpandEntityReferences(false) may not prevent external entity expansion in all cases [CVE-2020-25649]
See original GitHub issueAs per description: https://github.com/FasterXML/jackson-databind/blob/master/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java#L30 and https://github.com/FasterXML/jackson-databind/blob/master/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java#L33
is not enough to stop expansion of entities. Depending on provider(xerces) being used it might work with current DOMDeserializer or not. If JDK default is used(at least one that I used at time of test), it wont allow to expand entities, however, if other provider from classpath is used it might, for instance, xerces-2.12… does allow( iirc) expansion.
I tinkered a bit with databind classes and I had something like:
factory.setValidating(true);
factory.setExpandEntityReferences(false);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
Issue Analytics
- State:
- Created 4 years ago
- Comments:22 (12 by maintainers)
Top Results From Across the Web
CVE-2020-25649: jackson-databind - Broadcom support portal
Vulnerability Id: CVE-2020-25649 Descriptio. ... setExpandEntityReferences(false) may not prevent external entity expansion in all cases.
Read more >Security update for jackson-databind | SUSE Support
An update that fixes three vulnerabilities is now available. ... may not prevent external entity expansion in all cases (CVE-2020-25649, ...
Read more >CVE-2020-25649 jackson-databind - Red Hat Bugzilla
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML...
Read more >XML External Entity Prevention - OWASP Cheat Sheet Series
2 in all cases if a DoS attempt is performed, an exception is thrown due to the expanded XML being too many characters....
Read more >CVE-2020-25649
`DOMDeserializer`: setExpandEntityReferences(false) may not prevent external entity expansion in all cases [CVE-2020-25649] · Issue #2589 ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@melloware It was always fixed in 2.11.0, and as a consequence also fixed in 2.12.0. I have no idea what Sonatype or other security vendors do; they probably need to update something in their cve databases. I only get to contribute my free labor to support their core business.
@sourabhsparkala due to variability in time I have for development and all related tasks, I typically do not set out dates for various releases. This is relatively low priority thing for me because it’s just a single fix and while there’s cve id registered it seems unlikely to be exploitable by anybody.
But I will go ahead and create a separate issue for that micro-patch so I won’t forget. Maybe I’ll get patch out by November – main limitation is that I will not want to release any more versions of 2.10.x and after this patch will probably close 2.10 branch for good. 2.11.x has been out for a while, and 2.12.0 should be out in November. I think 2.10.5.1 will be released right after 2.12.0.