Kurt Boberg of DocuSign reported a possible XML External Entity (XXE) attack. Excerpt from his mail to firstname.lastname@example.org
I’m a security researcher at DocuSign. While doing due diligence on PDFBox as a third party component, I found a blind XXE vulnerability in the Stamp annotation FDF parser. The vulnerability is here:
You are at the mercy of the Java Runtime parser here (this is a known anti-pattern for interacting with Java’s XML parsing).
As we already have some secure code to avoid such attacks, we simply have to do some DRY-refactoring. Saying that, we should simplifying the code by using XMLUtil for all of them.