A flaw was found in jackson-dataformat-xml's XmlMapper which allows XXE Out of Band attack. An attacker could use this flaw to launch a SSRF attack.
Acknowledgments: Name: Adith Sudhakar
Created jberet tracking bugs for this issue: Affects: fedora-all [bug 1380205]
Created jackson-dataformat-xml tracking bugs for this issue: Affects: fedora-all [bug 1380206]
Hi Is this a duplicate of CVE-2016-3720? Regards, Salvatore
(In reply to Salvatore Bonaccorso from comment #5) > Hi > > Is this a duplicate of CVE-2016-3720? > > Regards, > Salvatore Good questions. Resetting NEEDINFO to amaris, he assigned CVE-2016-7051 in response to jsheppard, I've looked at the bugs but it's a bit convoluted. I've also emailed them to ensure they see this.
These 2 issues are distinct. The first issues was about XXE, and was fixed with the change in line 115 here: https://github.com/FasterXML/jackson-dataformat-xml/blob/master/src/main/java/com/fasterxml/jackson/dataformat/xml/XmlFactory.java The second issue was about DTD, and was fixed with the change in line 117.
Thanks for the clarification.