You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think your project may be vulnerable to Improper Restriction of XML External Entity Reference. It shares similarities to a recent CVE disclosure CVE-2021-3869 in the project stanfordnlp/CoreNLP. The vulnerable methods are as follows:
com.ysj.tinySpring.beans.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(InputStream inputStream) in the file src+/main/java/com/ysj/tinySpring/beans/xml/XmlBeanDefinitionReader.java
us.codecraft.tinyioc.beans.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(InputStream inputStream) in the file src/main/java/us/codecraft/tinyioc/beans/xml/XmlBeanDefinitionReader.java
The source vulnerability information is as follows:
Vulnerability Description:
This vulnerability occurs because of the Improper Restriction of XML External Entity Reference. Given that the XML schema files which is compromised by a hacker, the victim conducts regular process may result in an XML External Entity (XXE) Injection attack.
Recommended Actions:
The corresponding fixes are similar to CVE-2021-3869 to some extent. I have provided the following fixes by applying several patching statements, ensuring that the external entities and DTDs are not loaded when parsing and processing XML documents using the document builder. You can call the function safeDocumentBuilderFactory I defined below instead of directly calling DocumentBuilderFactory.newInstance() to create a DocumentBuilderFactory object to avoid XXE attacks.
Considering the potential riskes it may have, I am willing to cooperate with your to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please do not hesitate to reach out to me.
Thank you and looking forward to hearing from you soon.
The text was updated successfully, but these errors were encountered:
I think your project may be vulnerable to Improper Restriction of XML External Entity Reference. It shares similarities to a recent CVE disclosure CVE-2021-3869 in the project stanfordnlp/CoreNLP. The vulnerable methods are as follows:
The source vulnerability information is as follows:
Vulnerability Description:
This vulnerability occurs because of the Improper Restriction of XML External Entity Reference. Given that the XML schema files which is compromised by a hacker, the victim conducts regular process may result in an XML External Entity (XXE) Injection attack.
Recommended Actions:
The corresponding fixes are similar to CVE-2021-3869 to some extent. I have provided the following fixes by applying several patching statements, ensuring that the external entities and DTDs are not loaded when parsing and processing XML documents using the document builder. You can call the function
safeDocumentBuilderFactory
I defined below instead of directly callingDocumentBuilderFactory.newInstance()
to create a DocumentBuilderFactory object to avoid XXE attacks.Considering the potential riskes it may have, I am willing to cooperate with your to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please do not hesitate to reach out to me.
Thank you and looking forward to hearing from you soon.
The text was updated successfully, but these errors were encountered: