CVE-2016-7051

NameCVE-2016-7051
DescriptionXmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jackson-dataformat-xml (PTS)buster2.9.8-1fixed
bullseye2.12.1-1fixed
sid, trixie, bookworm2.14.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jackson-dataformat-xmlsource(unstable)2.8.5-1

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1378673#c7
https://github.com/FasterXML/jackson-dataformat-xml/issues/211
https://github.com/FasterXML/jackson-dataformat-xml/commit/eeff2c312e9d4caa8c9f27b8f740c7529d00524a (2.7.8)

Search for package or bug name: Reporting problems