Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XML input vulnerability based on DTD declaration [SPR-13136] #17727

Closed
spring-issuemaster opened this issue Jun 16, 2015 · 2 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

commented Jun 16, 2015

Toshiaki Maki opened SPR-13136 and commented

If DTD is not entirely disabled, inline DTD declarations can be used to perform Denial of Service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.


Issue Links:

  • #20352 Disable DTD and external entities support in XmlEventDecoder to prevent XXE and XML bomb attack

Backported to: 3.2.14

0 votes, 5 watchers

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jun 30, 2015

Rossen Stoyanchev commented

Reference to CVE report:
http://pivotal.io/security/cve-2015-3192.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jun 30, 2015

Rossen Stoyanchev commented

Please note that there are additional considerations besides the fixes for this issue when using StAX. The details are in the CVE report referenced above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.