Server-Side Request Forgery (SSRF) Affecting com.fasterxml.jackson.dataformat:jackson-dataformat-xml Open this link in a new tab package, versions [2.7.4,2.7.8) [2.8.0,2.8.4]


0.0
high
  • Attack Complexity

    Low

  • Scope

    Changed

  • Integrity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-30243

  • published

    28 Mar 2017

  • disclosed

    15 Apr 2016

  • credit

    Adith Sudhakar

Overview

com.fasterxml.jackson.dataformat:jackson-dataformat-xml is a Data format extension for Jackson to offer alternative support for serializing POJOs as XML and deserializing XML as pojos. A flaw was found in jackson-dataformat-xml's XmlMapper which allows XXE Out of Band attack. An attacker could use this flaw to launch a SSRF attack.