Description
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.
Remediation
References
http://www.securityfocus.com/bid/101052
http://www.securitytracker.com/id/1039444
https://issues.apache.org/jira/browse/JELLY-293
https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73%40%3Cdev.commons.apache.org%3E
Related Vulnerabilities
CVE-2017-16168 Vulnerability in npm package wffserve
CVE-2018-1000160 Vulnerability in npm package @risingstack/protect
CVE-2022-24822 Vulnerability in npm package @podium/layout
CVE-2021-43788 Vulnerability in npm package nodebb
CVE-2018-1284 Vulnerability in maven package org.apache.hive:hive-exec