Vulnerability	Vulnerable Version
M XML External Entity (XXE) Injection org.opensaml:xmltooling low-level library that may be used to construct libraries that allow developers to work with XML in a Java beans manner. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter set the `expandEntityReferences` property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML `DOCTYPE` declaration. How to fix XML External Entity (XXE) Injection? Upgrade `org.opensaml:xmltooling` to version 1.4.4 or higher.	[,1.4.4)

XML External Entity (XXE) Injection

org.opensaml:xmltooling low-level library that may be used to construct libraries that allow developers to work with XML in a Java beans manner.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.

How to fix XML External Entity (XXE) Injection?

Upgrade org.opensaml:xmltooling to version 1.4.4 or higher.

[,1.4.4)

Go back to all versions of this package