vertx-web-api-contract is vulnerable to XML external entity (XXE) attacks. The OpenAPI XMLTypeValidator
function allows access to external Document Type Definition (DTD) and schemas, which would allow a remote attacker to perform XXE attacks by passing a malicious XML file.
CPE | Name | Operator | Version |
---|---|---|---|
vertx-web-api-contract | le | 3.5.3 |
access.redhat.com/errata/RHSA-2018:2946
bugs.eclipse.org/bugs/show_bug.cgi?id=539568
github.com/vert-x3/vertx-web/commit/ea0b0930fbc122b7114935cafa379facc9611587
github.com/vert-x3/vertx-web/issues/1021
lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E