CVE-2016-3720
XML external entity (XXE) vulnerability in jackson-dataformat-xml (Maven)
What is CVE-2016-3720 About?
An XML external entity (XXE) vulnerability exists in XmlMapper within the Jackson data format extension for XML. This flaw allows attackers to have unspecified impact through unknown vectors by exploiting weaknesses in XML parsing. Exploitation usually involves crafting malicious XML input, making it relatively easy.
Affected Software
Technical Details
The XmlMapper component in the Data format extension for Jackson (Jackson-dataformat-xml) is prone to an XML external entity (XXE) vulnerability. This vulnerability occurs when the XML parser, by default, processes external entity references within an XML document. An attacker can craft a malicious XML document that includes a reference to an external entity, such as a local file, a system command, or a URI. When the XmlMapper parses this document, it resolves the external entity, which can lead to various impacts including sensitive file disclosure (e.g., /etc/passwd), exfiltration of data to an attacker-controlled server, server-side request forgery (SSRF), or even denial of service. The exact attack vectors depend on the underlying system's configuration and available resources but leverage the parser's trust in external entity definitions.
What is the Impact of CVE-2016-3720?
Successful exploitation may allow attackers to read local files, initiate server-side request forgery (SSRF) attacks, exfiltrate data, or potentially cause a denial of service, leading to information disclosure and system compromise.
What is the Exploitability of CVE-2016-3720?
Exploitation of this XML external entity (XXE) vulnerability is of moderate complexity. It typically requires the ability to provide specially crafted XML input to a service that utilizes the vulnerable XmlMapper in Jackson-dataformat-xml. No specific authentication or privilege requirements are generally needed, as the vulnerability typically resides in the input parsing stage. The attack is remote, as it involves sending a malicious XML payload over a network, often via HTTP POST requests to an API endpoint. Prerequisites include identified endpoints that accept XML input and are processed by the vulnerable XmlMapper instance. The risk of exploitation is significantly higher in applications that do not disable DTD processing or specific external entity resolution features by default, as these are the mechanisms leveraged by XXE attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-3720?
About the Fix from Resolved Security
The patch sets the XMLInputFactory property IS_SUPPORTING_EXTERNAL_ENTITIES to false, disabling external entity expansion by default. This prevents XML External Entity (XXE) attacks, fixing CVE-2016-3720 by ensuring malicious XML input cannot inject or read arbitrary data through external entity references.
Available Upgrade Options
- com.fasterxml.jackson.dataformat:jackson-dataformat-xml
- <2.7.4 → Upgrade to 2.7.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184561.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184561.html
- https://github.com/advisories/GHSA-hmq6-frv3-4727
- https://nvd.nist.gov/vuln/detail/CVE-2016-3720
- https://osv.dev/vulnerability/GHSA-hmq6-frv3-4727
What are Similar Vulnerabilities to CVE-2016-3720?
Similar Vulnerabilities: CVE-2017-1000008 , CVE-2017-1000018 , CVE-2016-6814 , CVE-2015-8472 , CVE-2013-0260
