The issue is concerned with XML entity resolution. The idea is to use an XML entity to resolve to an local file on the host system (for instance, /etc/passwd). See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more details. To resolve this issue, simply disable external entity resolution when dealing with XML from external sources. The way to do that depends on the XML API that you use.
When using DOM, simply set the expandEntityReferences property on the DocumentBuilderFactory to false. For instance:
When using SAX, set the "http://xml.org/sax/features/external-general-entities" feature on the XMLReader to false. For instance:
When using StAX, set the IS_REPLACING_ENTITY_REFERENCES property on the XMLInputFactory to false. For instance:
When using any of the Spring OXM Marshallers for unmarshalling from an external source, please use the code above to disable entity resolution before passing on a Source to the marshaller. For instance, when using DOM: