Dragonfly v0.3.0-SNAPSHOT fails to properly configure the DocumentBuilderFactory to prevent XML external entity (XXE) attacks when parsing maven-metadata.xml files provided by external Maven repositories during "SNAPSHOT" version resolution.
Workarounds
Dragonfly only parses XML in version 0.3.0-SNAPSHOT when SNAPSHOT versions are being resolved, to avoid this vulnerability avoid trying to resolve SNAPSHOT versions.
References
For more information
If you have any questions or comments about this advisory:
Dragonfly v0.3.0-SNAPSHOT fails to properly configure the DocumentBuilderFactory to prevent XML external entity (XXE) attacks when parsing
maven-metadata.xmlfiles provided by external Maven repositories during "SNAPSHOT" version resolution.Workarounds
Dragonfly only parses XML in version 0.3.0-SNAPSHOT when
SNAPSHOTversions are being resolved, to avoid this vulnerability avoid trying to resolveSNAPSHOTversions.References
For more information
If you have any questions or comments about this advisory: