Server-Side Request Forgery (SSRF) Affecting com.fasterxml.jackson.dataformat:jackson-dataformat-xml package, versions [2.7.4,2.7.8) [2.8.0,2.8.4]

Snyk CVSS

Attack Complexity Low

Scope Changed

Integrity High

Threat Intelligence

EPSS 0.19% (56^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-30243
published 28 Mar 2017
disclosed 15 Apr 2016
credit Adith Sudhakar

Report a new vulnerability Found a mistake?

Introduced: 15 Apr 2016

CVE-2016-7051 Open this link in a new tab CWE-918 Open this link in a new tab

Overview

com.fasterxml.jackson.dataformat:jackson-dataformat-xml is a Data format extension for Jackson to offer alternative support for serializing POJOs as XML and deserializing XML as pojos. A flaw was found in jackson-dataformat-xml's XmlMapper which allows XXE Out of Band attack. An attacker could use this flaw to launch a SSRF attack.

Server-Side Request Forgery (SSRF) Affecting com.fasterxml.jackson.dataformat:jackson-dataformat-xml package, versions [2.7.4,2.7.8) [2.8.0,2.8.4]

Snyk CVSS

Threat Intelligence

Introduced: 15 Apr 2016

Overview

References