The XMLChangeLogSAXParser() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. References: https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381
Created liquibase tracking bugs for this issue: Affects: epel-7 [bug 2081485]