Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-11376

Jaxb2RootElementHttpMessageConverter is susceptible to XXE vulnerability

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Complete
    • Affects Version/s: 3.2.5
    • Fix Version/s: 3.2.8, 4.0.2
    • Component/s: Web
    • Security Level: Public
    • Labels:
    • Last commented by a User:
      false

      Description

      For background information, see XXE vulnerability.

      This seems to not have been fixed in Jaxb2RootElementHttpMessageConverter when it was fixed in Jaxb2CollectionHttpMessageConverter. The way it is solved in Jaxb2CollectionHttpMessageConverter is by hard coding the property for resolving external entities to false. See SPR-10806 and the attached patch.

      By default the XML parser will parse and replace external entities. Also there is no way to configure how Jaxb2RootElementHttpMessageConverter handles external entities.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rstoya05-aop Rossen Stoyanchev
                Reporter:
                berzerker Spase Markovski
                Last updater:
                Juergen Hoeller
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  4 years, 16 weeks, 6 days ago