[
https://issues.apache.org/jira/browse/DERBY-6807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14623940#comment-14623940
]
Rick Hillegas commented on DERBY-6807:
--------------------------------------
Hi Bryan,
The XmlVTI appears in the internal engine javadoc but not in the public API. It
wouldn't hurt to add a blurb to the XmlVTI javadoc in case we add this class to
the public api some day. Thanks.
> XXE attack possible by using XmlVTI and the XML datatype
> --------------------------------------------------------
>
> Key: DERBY-6807
> URL: https://issues.apache.org/jira/browse/DERBY-6807
> Project: Derby
> Issue Type: Bug
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Attachments: error-stacktrace.out, externalGeneralEntities.diff,
> secureXmlVTI.diff, xmltest.diff
>
>
> The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to
> expose sensitive information or launch denial-of-service assaults. This issue
> has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe
> Arteau.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
