Vulnerability when using DOM converters

Description

When all of the following applies:
1) The application has a remoted method accepting XML data as input through a DOM parameter.
2) The DOM parameter is converted with one of the DWR DOM converters (DOMConverter, JDOMConverter, DOM4JConverter or XOMConverter).
3) There is a way to fetch the parsed XML from the outside.
then an attacker may be able to view private data.

Big thanks to Takeshi Terada of Mitsui Bussan Secure Directions and JPCERT for reporting this issue:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5325

Activity

Show:
Mike Wilson
September 17, 2014, 9:24 PM

Implementation checked in.

Assignee

David Marginian

Reporter

Mike Wilson

Labels

None

Documentation Required

No

Components

Fix versions

Affects versions

Priority

Critical
Configure