Server-Side Request Forgery (SSRF) Affecting com.fasterxml.jackson.dataformat:jackson-dataformat-xml package, versions [2.7.4,2.7.8) [2.8.0,2.8.4]
Snyk CVSS
Attack Complexity
Low
Scope
Changed
Integrity
High
Threat Intelligence
EPSS
0.19% (56th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-30243
- published 28 Mar 2017
- disclosed 15 Apr 2016
- credit Adith Sudhakar
Introduced: 15 Apr 2016
CVE-2016-7051 Open this link in a new tabOverview
com.fasterxml.jackson.dataformat:jackson-dataformat-xml
is a Data format extension for Jackson to offer alternative support for serializing POJOs as XML and deserializing XML as pojos.
A flaw was found in jackson-dataformat-xml's XmlMapper which allows XXE Out of Band attack. An attacker could use this flaw to launch a SSRF attack.