CVE-2017-12621

Name of the Vulnerable Software and Affected Versions Apache Commons Jelly versions prior to 1.0.1

Description The issue arises during Jelly (xml) file parsing with Apache Xerces. If a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, the parser will attempt to connect to the specified URL during parser instantiation. This could lead to XML External Entity (XXE) attacks.

Recommendations For versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of custom doctype entities with "SYSTEM" entities to minimize the risk of exploitation.