org.simpleframework:simple-xml@2.7.1 vulnerabilities

Simple is a high performance XML serialization and configuration framework for Java

  • latest version


  • first published

    16 years ago

  • latest version published

    10 years ago

  • licenses detected

  • package manager

Direct Vulnerabilities

Known vulnerabilities in the org.simpleframework:simple-xml package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
XML External Entity (XXE) Injection

org.simpleframework:simple-xml is a RESTful Web API framework for Java.

Affected versions of the package are vulnerable to XML External Entity (XXE) Injection.

The XML External Entity (XXE) vulnerabilities abuse the XML specification to force an XML parser to either fetch sensitive data from the system, or carry out denial of services (DoS) or server-side request forgery (SSRF) attacks. The main problem is that the XML standard allows an XML document to define entities, which are like variables that can refer to resources outside of the XML document. Let's consider the following XML document:

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY abc SYSTEM "file:///etc/passwd" >]>

This document defines an external entity named abc, that refers to the content of the file /etc/passwd. When the XML document is parsed, the entity &abc; will be replaced by the content of /etc/passwd. Now if an application is parsing XML data from an untrusted source, then by defining an external entity that points to a sensitive file, the attacker will be able to force the application to include sensitive data in the parsed XML document. If the attacker can then retrieve the content of the parsed document, they will be able to view the content of /etc/passwd.

  • LGTM Blog

How to fix XML External Entity (XXE) Injection?

There is no fixed version for org.simpleframework:simple-xml.