PT-2017-9078 · Jackson · Jackson-Dataformat-Xml

Cowtowncoder

·

Publicado

2017-04-14

·

Atualizado

2019-10-10

·

CVE-2016-7051

CVSS v3.1

8.6

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions jackson-dataformat-xml versions 2.7.0 through 2.7.7 jackson-dataformat-xml versions 2.8.0 through 2.8.3
Description The issue allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD. This can be exploited in the XmlMapper component of the Jackson XML dataformat.
Recommendations For jackson-dataformat-xml versions 2.7.0 through 2.7.7, update to version 2.7.8 or later. For jackson-dataformat-xml versions 2.8.0 through 2.8.3, update to version 2.8.4 or later.

Correção

XXE

SSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-611CWE-918

Identificadores relacionados

CVE-2016-7051
GHSA-7C2R-3JQF-C9RW

Produtos afetados

Jackson-Dataformat-Xml