[ https://issues.apache.org/jira/browse/AXIS2-6060?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andreas Veithen resolved AXIS2-6060. ------------------------------------ Resolution: Not A Problem > [Axis2]Security Vulnerability - Action Required: XXE vulnerability in the > newest version of org.apache.axis2:axis2 > ------------------------------------------------------------------------------------------------------------------ > > Key: AXIS2-6060 > URL: https://issues.apache.org/jira/browse/AXIS2-6060 > Project: Axis2 > Issue Type: Bug > Components: codegen, wsdl > Affects Versions: 1.8.0 > Reporter: Yiheng Cao > Priority: Major > > The vulnerability is present in the class > org.apache.axis2.wsdl.codegen.extension.JAXBRIExtension of method > getNamespaceAwareDocumentBuilder() , which is responsible for getting a > DocumentBuilder object that supports namespace resolution. The vulnerable > call chain we discover is: *engage(CodeGenConfiguration > configuration)→loadAdditionalSchemas()→getNamespaceAwareDocumentBuilder().* > Given that the XML schema files stored in the > /org/apache/axis2/wsdl/codegen/schema/ which is compromised by a hacker, the > victim conducts regular process which incorporates the execution of method > engage(), resulting in an XML External Entity (XXE) Injection attack. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org