JDOM XXE vulnerability 

Issue date: 21-09-2021
Affects versions: 14.6, 13.4, 12.6

Security Issue ID

SECURITY-240

 

Affected Product Version(s)

14.6.0, 13.4.9, 12.6.16, and previous releases.


Severity 

high


Description

CVE-2021-33813

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

This vulnerability was mitigated by disabling external entity expanssion for all usages of the JDOM library.

Instructions

Customers using the 12.x, 13.x and 14.x major versions are recommended to upgrade to the latest version in that series.