Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-13136

XML input vulnerability based on DTD declaration

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 3.2.14, 4.1.7, 4.2 RC2
    • Component/s: OXM, Web
    • Security Level: Public
    • Labels:
      None
    • Last commented by a User:
      false

      Description

      If DTD is not entirely disabled, inline DTD declarations can be used to perform Denial of Service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rstoya05-aop Rossen Stoyanchev
                Reporter:
                making Toshiaki Maki
                Last updater:
                Juergen Hoeller
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  3 years, 25 weeks, 1 day ago