CVE-2016-7051
server-side request forgery vulnerability in jackson-dataformat-xml (Maven)
What is CVE-2016-7051 About?
Versions of `jackson-dataformat-xml` prior to 2.7.8 and 2.8.4 are vulnerable to server-side request forgery (SSRF). This flaw allows remote attackers to force the server to make unauthorized requests via vectors related to a DTD. Exploitation difficulty is moderate, requiring specific DTD-related input.
Affected Software
- com.fasterxml.jackson.dataformat:jackson-dataformat-xml
- >2.8.0, <2.8.4
- <2.7.8
Technical Details
The vulnerability in jackson-dataformat-xml versions prior to 2.7.8 and 2.8.4 is a server-side request forgery (SSRF) attack vector. This is exploited through specially crafted input that leverages XML External Entity (XXE) processing, specifically related to Document Type Definitions (DTDs). When jackson-dataformat-xml parses an XML document, it can be tricked into processing external entities defined in a malicious DTD. An attacker can use this to instruct the server to fetch resources from arbitrary URLs, including internal network locations, or make requests to local files, effectively acting as an intermediary for unauthorized requests.
What is the Impact of CVE-2016-7051?
Successful exploitation may allow attackers to force the server to make arbitrary requests to internal or external resources, potentially leading to information disclosure, port scanning of internal networks, or interaction with internal services.
What is the Exploitability of CVE-2016-7051?
Exploitation is of moderate complexity. It requires the attacker to submit malicious XML input containing a crafted DTD, leveraging XML External Entity (XXE) capabilities implicitly or explicitly enabled within the XML parsing context of jackson-dataformat-xml. No specific authentication or privilege is explicitly required beyond the ability to send XML content to the application. The attack is remote, targeting the application's XML processing component. The key risk factor is any application that accepts and parses untrusted XML input using vulnerable jackson-dataformat-xml versions, especially if DTD processing is not sufficiently restricted or disabled.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-7051?
About the Fix from Resolved Security
The patch disables DTD processing by setting XMLInputFactory.SUPPORT_DTD to false, in addition to already disabling external entity expansion. This prevents malicious XML documents from including DTDs, which could be exploited for XML External Entity (XXE) attacks as described in CVE-2016-7051, thus closing the vector for external resource access and denial of service.
Available Upgrade Options
- com.fasterxml.jackson.dataformat:jackson-dataformat-xml
- <2.7.8 → Upgrade to 2.7.8
- com.fasterxml.jackson.dataformat:jackson-dataformat-xml
- >2.8.0, <2.8.4 → Upgrade to 2.8.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/FasterXML/jackson-dataformat-xml/issues/211
- https://github.com/advisories/GHSA-7c2r-3jqf-c9rw
- https://osv.dev/vulnerability/GHSA-7c2r-3jqf-c9rw
- https://bugzilla.redhat.com/show_bug.cgi?id=1378673
- https://nvd.nist.gov/vuln/detail/CVE-2016-7051
- http://www.securityfocus.com/bid/97688
- https://bugzilla.redhat.com/show_bug.cgi?id=1378673
- http://www.securityfocus.com/bid/97688
- https://github.com/FasterXML/jackson-dataformat-xml/issues/211
- https://github.com/FasterXML/jackson-dataformat-xml
What are Similar Vulnerabilities to CVE-2016-7051?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-7657 , CVE-2017-1000228 , CVE-2021-29425 , CVE-2022-25867
