Skip to content

XML input vulnerability based on DTD declaration [SPR-13136] #17727

New issue
New issue
Closed
Closed
XML input vulnerability based on DTD declaration [SPR-13136]#17727
Assignees
rstoyanchev
Labels
in: dataIssues in data modules (jdbc, orm, oxm, tx)in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug
Milestone
4.1.7
@spring-projects-issues

Description

@spring-projects-issues
spring-projects-issues
opened on Jun 16, 2015

Toshiaki Maki opened SPR-13136 and commented

If DTD is not entirely disabled, inline DTD declarations can be used to perform Denial of Service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.

Issue Links:

Backported to: 3.2.14

0 votes, 5 watchers

Metadata

Metadata

Assignees

Labels

in: dataIssues in data modules (jdbc, orm, oxm, tx)in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions