The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to expose sensitive information or launch denial-of-service assaults. This issue has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe Arteau.
- is related to
-
DERBY-2131 External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs.
-
- Closed
-
-
DERBY-1758 Enable xmlSuite to run as part of derbyall in environments that have the required external jars.
-
- Closed
-
-
JCR-4186 Use current Derby version
-
- Closed
-
1.
|
Add regression tests for XXE vulnerability |
|
Closed | Abhinav Gupta |
2.
|
Improve error handling in XmlVTI |
|
Closed | Bryan Pendleton |
3.
|
Include XMLOptimizerTraceTest in XMLSuite |
|
Closed | Unassigned |