Server-Side Request Forgery (SSRF) Affecting com.fasterxml.jackson.dataformat:jackson-dataformat-xml Open this link in a new tab package, versions [2.7.4,2.7.8) [2.8.0,2.8.4]
Attack Complexity
Low
Scope
Changed
Integrity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-30243
-
published
28 Mar 2017
-
disclosed
15 Apr 2016
-
credit
Adith Sudhakar
Introduced: 15 Apr 2016
CVE-2016-7051 Open this link in a new tabOverview
com.fasterxml.jackson.dataformat:jackson-dataformat-xml
is a Data format extension for Jackson to offer alternative support for serializing POJOs as XML and deserializing XML as pojos.
A flaw was found in jackson-dataformat-xml's XmlMapper which allows XXE Out of Band attack. An attacker could use this flaw to launch a SSRF attack.