It was reported that XmlMapper in jackson-dataformat-xml is vulnerable to XXE attack ("Improper Restriction of XML External Entity Reference").
Acknowledgments: Name: Adith Sudhakar
Created jberet tracking bugs for this issue: Affects: fedora-all [bug 1332726]
Created jackson-dataformat-xml tracking bugs for this issue: Affects: fedora-all [bug 1332727]
jackson-dataformat-xml-2.6.3-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
jackson-dataformat-xml-2.5.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
jackson-dataformat-xml-2.5.0-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Upstream bug: https://github.com/FasterXML/jackson-dataformat-xml/issues/190 Fixed in jackson-dataformat-xml 2.7.4
Who is responsible for updating the CVE / who initially submitted it? A check run against the database still shows 2.7.4 as vulnerable. On the upstream issue, the maintainers state that they were not involved with filing the CVE.
Is the CVE failing due to this issue still reflecting as "NEW". Should the status of this bug stay as New?
Is there any chance to get status updated: Fixed (as per comments above) in 2.7.4, as well as 2.8.0 (and all later versions). As the author of Jackson I can provide more details if and as needed, but I am not sure what can be done at this point.
This flaw had the 'fixedin' field set to 2.7.4 since 22nd June, 2016. It seems they field is not being read by NVD. You might need to contact them directly.