Server-Side Request Forgery (SSRF) Affecting com.fasterxml.jackson.dataformat:jackson-dataformat-xml Open this link in a new tab package, versions [2.7.4,2.7.8) [2.8.0,2.8.4]

Attack Complexity

Low
Scope

Changed
Integrity

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-30243
published

28 Mar 2017
disclosed

15 Apr 2016
credit

Adith Sudhakar

Report a new vulnerability Found a mistake?

Introduced: 15 Apr 2016

CVE-2016-7051 Open this link in a new tab CWE-918 Open this link in a new tab

Overview

com.fasterxml.jackson.dataformat:jackson-dataformat-xml is a Data format extension for Jackson to offer alternative support for serializing POJOs as XML and deserializing XML as pojos. A flaw was found in jackson-dataformat-xml's XmlMapper which allows XXE Out of Band attack. An attacker could use this flaw to launch a SSRF attack.

Server-Side Request Forgery (SSRF) Affecting com.fasterxml.jackson.dataformat:jackson-dataformat-xml Open this link in a new tab package, versions [2.7.4,2.7.8) [2.8.0,2.8.4]

Attack Complexity

Scope

Integrity

snyk-id

published

disclosed

credit

Introduced: 15 Apr 2016

Overview

References