org.simpleframework:simple-xml@2.7.1 vulnerabilities

Simple is a high performance XML serialization and configuration framework for Java

latest version

2.7.1
first published

16 years ago
latest version published

10 years ago
licenses detected
- Apache-2.0
  [2.1.9,2.2); [2.2.4,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.simpleframework:simple-xml package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C XML External Entity (XXE) Injection `org.simpleframework:simple-xml` is a RESTful Web API framework for Java. Affected versions of the package are vulnerable to XML External Entity (XXE) Injection. The XML External Entity (XXE) vulnerabilities abuse the XML specification to force an XML parser to either fetch sensitive data from the system, or carry out denial of services (DoS) or server-side request forgery (SSRF) attacks. The main problem is that the XML standard allows an XML document to define entities, which are like variables that can refer to resources outside of the XML document. Let's consider the following XML document: `<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY abc SYSTEM "file:///etc/passwd" >]> <foo>&abc;</foo>` This document defines an external entity named abc, that refers to the content of the file `/etc/passwd`. When the XML document is parsed, the entity `&abc;` will be replaced by the content of `/etc/passwd`. Now if an application is parsing XML data from an untrusted source, then by defining an external entity that points to a sensitive file, the attacker will be able to force the application to include sensitive data in the parsed XML document. If the attacker can then retrieve the content of the parsed document, they will be able to view the content of /etc/passwd. LGTM Blog How to fix XML External Entity (XXE) Injection? There is no fixed version for `org.simpleframework:simple-xml`.	[0,)

XML External Entity (XXE) Injection

org.simpleframework:simple-xml is a RESTful Web API framework for Java.

Affected versions of the package are vulnerable to XML External Entity (XXE) Injection.

The XML External Entity (XXE) vulnerabilities abuse the XML specification to force an XML parser to either fetch sensitive data from the system, or carry out denial of services (DoS) or server-side request forgery (SSRF) attacks. The main problem is that the XML standard allows an XML document to define entities, which are like variables that can refer to resources outside of the XML document. Let's consider the following XML document:

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY abc SYSTEM "file:///etc/passwd" >]>
<foo>&abc;</foo>

This document defines an external entity named abc, that refers to the content of the file /etc/passwd. When the XML document is parsed, the entity &abc; will be replaced by the content of /etc/passwd. Now if an application is parsing XML data from an untrusted source, then by defining an external entity that points to a sensitive file, the attacker will be able to force the application to include sensitive data in the parsed XML document. If the attacker can then retrieve the content of the parsed document, they will be able to view the content of /etc/passwd.

LGTM Blog

How to fix XML External Entity (XXE) Injection?

There is no fixed version for org.simpleframework:simple-xml.

[0,)

Go back to all versions of this package

org.simpleframework:simple-xml@2.7.1 vulnerabilities

Simple is a high performance XML serialization and configuration framework for Java

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities