https://bugzilla.redhat.com/show_bug.cgi?id=1321789
Bug ID: 1321789
Summary: CVE-2016-3674 XStream: enabled processing of external
entities
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, aileenc(a)redhat.com,
alazarot(a)redhat.com, alonbl(a)redhat.com,
bdawidow(a)redhat.com, bkearney(a)redhat.com,
bmcclain(a)redhat.com, brms-jira(a)redhat.com,
chazlett(a)redhat.com, cpelland(a)redhat.com,
dblechte(a)redhat.com, dmcphers(a)redhat.com,
eedri(a)redhat.com, epp-bugs(a)redhat.com,
etirelli(a)redhat.com, gklein(a)redhat.com,
gvarsami(a)redhat.com, hfnukal(a)redhat.com,
java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jbpapp-maint(a)redhat.com, jcoleman(a)redhat.com,
jdg-bugs(a)redhat.com, jialiu(a)redhat.com,
jokerman(a)redhat.com, jorton(a)redhat.com,
jpallich(a)redhat.com, kconner(a)redhat.com,
kseifried(a)redhat.com, ldimaggi(a)redhat.com,
lmeyer(a)redhat.com, lpetrovi(a)redhat.com,
lsurette(a)redhat.com, mbaluch(a)redhat.com,
mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com,
mizdebsk(a)redhat.com, mmaslano(a)redhat.com,
mmccomas(a)redhat.com, mmccune(a)redhat.com,
msimacek(a)redhat.com, msrb(a)redhat.com,
mweiler(a)redhat.com, mwinkler(a)redhat.com,
nwallace(a)redhat.com, ohadlevy(a)redhat.com,
pavelp(a)redhat.com, rbalakri(a)redhat.com,
Rhev-m-bugs(a)redhat.com, rrajasek(a)redhat.com,
rwagner(a)redhat.com, rzhang(a)redhat.com,
satellite6-bugs(a)redhat.com, sherold(a)redhat.com,
soa-p-jira(a)post-office.corp.redhat.com,
tcunning(a)redhat.com, theute(a)redhat.com,
tiwillia(a)redhat.com, tjay(a)redhat.com,
tkirby(a)redhat.com, tlestach(a)redhat.com,
ttarrant(a)redhat.com, ydary(a)redhat.com,
yeylon(a)redhat.com, ykaul(a)redhat.com
XStream (x-stream.github.io) is a Java library to marshal Java objects into
XML and back. For this purpose it supports a lot of different XML parsers.
Some of those can also process external entities which was enabled by
default.
An attacker could therefore provide manipulated XML as input to access data
on the file system, see
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
--
You are receiving this mail because:
You are on the CC list for the bug.