漏洞名称:

jackson-dataformat-xml XXE漏洞

影响版本:

jackson-dataformat-xml/2.7.3-1

漏洞详情:

在jackson-dataformat-xml/2.wa7.3-1版本中默认配置允许外部实体解析，测试代码如下:jackson-dataformat-xml/2.7.4-1中已经解决该问题，默认禁止外部实体解析

修复方案:

升级到 jackson-dataformat-xml/2.7.4-1

参考:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823703https://github.com/FasterXML/jackson-dataformat-xml/commit/f0f19a4c924d9db9a1e2830434061c8640092cc0https://github.com/swagger-api/swagger-core/issues/2023https://lists.fedoraproject.org/pipermail/package-announce/2016-May/184561.htmlhttps://github.com/FasterXML/jackson-dataformat-xml/tree/f0f19a4c924d9db9a1e2830434061c8640092cc0http://www.jb51.cc/article/p-figxsaiv-oa.html