Yiheng Cao created AXIS2-6060:
---------------------------------
Summary: [Axis2]Security Vulnerability - Action Required: XXE
vulnerability in the newest version of org.apache.axis2:axis2
Key: AXIS2-6060
URL: https://issues.apache.org/jira/browse/AXIS2-6060
Project: Axis2
Issue Type: Bug
Components: codegen, wsdl
Affects Versions: 1.8.0
Reporter: Yiheng Cao
The vulnerability is present in the class
org.apache.axis2.wsdl.codegen.extension.JAXBRIExtension of method
getNamespaceAwareDocumentBuilder() , which is responsible for getting a
DocumentBuilder object that supports namespace resolution. The vulnerable call
chain we discover is: *engage(CodeGenConfiguration
configuration)→loadAdditionalSchemas()→getNamespaceAwareDocumentBuilder().*
Given that the XML schema files stored in the
/org/apache/axis2/wsdl/codegen/schema/ which is compromised by a hacker, the
victim conducts regular process which incorporates the execution of method
engage(), resulting in an XML External Entity (XXE) Injection attack.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
