New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XML transformers should be secured #15

Closed
agabrys opened this Issue Jun 17, 2018 · 0 comments

Comments

1 participant
@agabrys
Member

agabrys commented Jun 17, 2018

An XML External Entity or XSLT External Entity (XXE) vulnerability can occur when a javax.xml.transform.Transformer is created without enabling "Secure Processing" or when one is created without disabling external DTDs. If that external entity is hijacked by an attacker it may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

@agabrys agabrys added the bug label Jun 17, 2018

@agabrys agabrys added this to the 2.0.1 milestone Jun 17, 2018

@agabrys agabrys self-assigned this Jun 17, 2018

agabrys added a commit that referenced this issue Jun 17, 2018

agabrys added a commit that referenced this issue Jun 17, 2018

agabrys added a commit that referenced this issue Jun 17, 2018

agabrys added a commit that referenced this issue Jun 17, 2018

#15 XML transformers should be secured
* use secure processing feature in XsltTransformer
* update dependencies and plugins

@agabrys agabrys closed this Jun 17, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment