Improper Restriction of XML External Entity Reference in Jelly

During Jelly xml file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity XXE...

Apache Commons Jelly Security Bypass Vulnerability

Apache Commons Jelly is the United States Apache Apache Software Foundation of a Java and XML-based scripting engine . A security vulnerability exists in Apache Commons Jelly version 1.0. An attacker can exploit this vulnerability to bypass security restrictions and perform unauthorized operation...

XML External Entity (XXE)

Apache commons-jelly is vulnerable to XML external entity XXE. When jelly XML files are parsed with a custom doctype declared as a SYSTEM entity with a URL at the beginning of the file, the parser will connect to the URL at instantiation...

Apache Commons Jelly connects to url with certain custom doctype definitions.

Severity: Medium Vendor: The Apache Software Foundation Versions Affected: commons-jelly-1.0 core, namely commons-jelly-1.0.jar Description: During jelly xml file parsing with xerces, if a custom doctype entity is declared with a ?SYSTEM? entity with a url and that entity is used in the body of t...

CVE-2017-12621

During Jelly xml file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity XXE...

CVE-2017-12621

The CVE-2017-12621 issue is an XXE vulnerability in Apache Commons Jelly when parsing Jelly XML and a SYSTEM entity URL is used in the document, causing the parser to connect to that URL during instantiation. Affected version: Apache Commons Jelly before 1.0.1. Impact per sources indicates potent...