Bug#958055: dom4j: CVE-2020-10683: XML External Entity vulnerability in default SAX parser
Emmanuel Bourg
ebourg at apache.org
Sun Apr 19 01:36:14 BST 2020
Le 17/04/2020 à 23:10, Salvatore Bonaccorso a écrit :
> The following vulnerability was published for dom4j.
>
> CVE-2020-10683[0]:
> XML External Entity vulnerability in default SAX parser
>
> [2] https://github.com/dom4j/dom4j/commit/a822852 (Patch)
The upstream patch doesn't fix anything, the constructor of SAXReader
still allows external entities by default, but the documentation now
suggests to disable them.
Emmanuel Bourg
More information about the pkg-java-maintainers
mailing list