XML input vulnerability based on DTD declaration [SPR-13136] #17727
Assignees
Labels
in: data
Issues in data modules (jdbc, orm, oxm, tx)
in: web
Issues in web modules (web, webmvc, webflux, websocket)
status: backported
An issue that has been backported to maintenance branches
type: bug
A general bug
Milestone
Comments
|
Rossen Stoyanchev commented Reference to CVE report: |
|
Rossen Stoyanchev commented Please note that there are additional considerations besides the fixes for this issue when using StAX. The details are in the CVE report referenced above. |
spring-projects-issues
added
type: bug
This was referenced Jan 11, 2019
This was referenced May 9, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Toshiaki Maki opened SPR-13136 and commented
If DTD is not entirely disabled, inline DTD declarations can be used to perform Denial of Service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the
disallow-doctype-decfeature in the DOM and SAX APIs totrueand by setting thesupportDTDproperty in the StAX API tofalse.Issue Links:
Backported to: 3.2.14
0 votes, 5 watchers
The text was updated successfully, but these errors were encountered: