Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Ensure that defaults for `XMLInputFactory` have expansion of external parsed general entities disabled [CVE-2016-3720]

See original GitHub issue

To reduce likelihood of malicious XXE, let’s ensure that XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES is disabled by default when instantiate by Jackson.

Issue Analytics

State:
Created 7 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

cowtowncodercommented, Jul 13, 2016

@brettcave thank you for your help with bugzilla entry. 2.7.4 is the version here; and 2.8.0 includes fixed default settings.

0reactions

cowtowncodercommented, May 20, 2017

FWTW this is related to http://www.cvedetails.com/cve/CVE-2016-3720

Top Results From Across the Web

Ensure that defaults for XMLInputFactory have expansion ...

Ensure that defaults for XMLInputFactory have expansion of external parsed general entities disabled [CVE-2016-3720] #190.

XML External Entity Prevention Cheat Sheet

Per: According to this post, starting with libxml2 version 2.9, XXE has been disabled by default as committed by the following patch. Search...

XML External Entity Attacks | Vulnerability Fix Database

However, XML external attacks remain a risk because many XML parsing libraries do not disable this feature by default. Make sure your XML...

XML parsers should not be vulnerable to XXE attacks

It's recommended to limit resolution of external entities by using one of these solutions: If DOCTYPE is not necessary, completely disable all DOCTYPE ......

Search Results - CVE

A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML...