Improper Restriction of XML External Entity Reference in Jelly

During Jelly xml file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity XXE...

Apache Commons Jelly connects to url with certain custom doctype definitions.

Severity: Medium Vendor: The Apache Software Foundation Versions Affected: commons-jelly-1.0 core, namely commons-jelly-1.0.jar Description: During jelly xml file parsing with xerces, if a custom doctype entity is declared with a ?SYSTEM? entity with a url and that entity is used in the body of t...

CVE-2017-12621

The CVE-2017-12621 issue is an XXE vulnerability in Apache Commons Jelly when parsing Jelly XML and a SYSTEM entity URL is used in the document, causing the parser to connect to that URL during instantiation. Affected version: Apache Commons Jelly before 1.0.1. Impact per sources indicates potent...

CVE-2017-12621

During Jelly xml file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity XXE...