Homepage
About Snyk

ro.pippo:pippo-jaxb@1.10.0 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the ro.pippo:pippo-jaxb package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
XML Entity Expansion (Billion Laughs Attack)

ro.pippo:pippo-jaxb is an open source (Apache License) micro web framework in Java.

Affected versions of this package are vulnerable to XML Entity Expansion (Billion Laughs Attack) due to unsafely parsing user provided XML file. The fromString() in the ro.pippo.jaxb.JaxbEngine class allows user provided DTDs that the rest of the XML may reference. This can lead to recursive entity expansion and a subsequent billion laughs attack, leading to denial of service.

How to fix XML Entity Expansion (Billion Laughs Attack)?

There is no fixed version for ro.pippo:pippo-jaxb.

[0,)
  • M
XML External Entity (XXE) Injection

ro.pippo:pippo-jaxb is an open source (Apache License) micro web framework in Java.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the jaxb/JaxbEngine.java method.

How to fix XML External Entity (XXE) Injection?

Upgrade ro.pippo:pippo-jaxb to version 1.12.0 or higher.

[,1.12.0)
Go back to all versions of this package