[SPR-13136] XML input vulnerability based on DTD declaration Created: 16/Jun/15  Updated: 20/Jul/17  Resolved: 30/Jun/15

Status: Closed
Project: Spring Framework
Component/s: OXM, Web
Affects Version/s: None
Fix Version/s: 3.2.14, 4.1.7, 4.2 RC2
Security Level: Public

Type: Bug Priority: Major
Reporter: Toshiaki Maki Assignee: Rossen Stoyanchev
Resolution: Complete Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is related to SPR-15797 Disable DTD and external entities sup... Closed
Days since last comment: 3 years, 25 weeks, 1 day ago
Last commented by a User: false
Last updater: Juergen Hoeller


If DTD is not entirely disabled, inline DTD declarations can be used to perform Denial of Service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.

Comment by Rossen Stoyanchev [ 30/Jun/15 ]

Reference to CVE report:

Comment by Rossen Stoyanchev [ 30/Jun/15 ]

Please note that there are additional considerations besides the fixes for this issue when using StAX. The details are in the CVE report referenced above.

Generated at Wed Dec 19 09:21:31 UTC 2018 using JIRA 7.9.2#79002-sha1:3bb15b68ecd99a30eb364c4c1a393359bcad6278.