Date: Fri, 25 Mar 2016 16:04:38 +0100 From: Jörg Schaible <joerg.schaible@....de> To: oss-security@...ts.openwall.com Subject: CVE request - XStream: XXE vulnerability Hi all, XStream (x-stream.github.io) is a Java library to marshal Java objects into XML and back. For this purpose it supports a lot of different XML parsers. Some of those can also process external entities which was enabled by default. An attacker could therefore provide manipulated XML as input to access data on the file system, see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing Since XStream 1.4.9 all parsers are configured to ignore external entities by default as far as such behavior is configurable: http://x-stream.github.io/changes.html#1.4.9 Luckily XStream's default parser Xpp3 does not parse entities at all. However, all application that use XStream >= 1.4.8 explicitly with parsers based on StAX, W3C DOM, Dom4J, JDOM or JDOM2 were affected unless the parsers had been properly configured manually. Applications using XOM or explicitly BEA's old StAX reference parser are still vulnerable, we found no way to deactivate processing of external entities for those two. Regards, Jörg On behalf of the XStream community
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ