A flaw was found in jackson-dataformat-xml's XmlMapper which allows XXE Out of Band attack. An attacker could use this flaw to launch a SSRF attack.
Name: Adith Sudhakar
Created jberet tracking bugs for this issue:
Affects: fedora-all [bug 1380205]
Created jackson-dataformat-xml tracking bugs for this issue:
Affects: fedora-all [bug 1380206]
Is this a duplicate of CVE-2016-3720?
(In reply to Salvatore Bonaccorso from comment #5)
> Is this a duplicate of CVE-2016-3720?
Good questions. Resetting NEEDINFO to firstname.lastname@example.org, he assigned CVE-2016-7051 in response to email@example.com, I've looked at the bugs but it's a bit convoluted. I've also emailed them to ensure they see this.
These 2 issues are distinct. The first issues was about XXE, and was fixed with the change in line 115 here:
The second issue was about DTD, and was fixed with the change in line 117.
Thanks for the clarification.