CVE-2014-3530: XXE via insecure DocumentBuilderFactory usage

May 14, 2022 (updated November 1, 2022)

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in this package expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.

References

bugzilla.redhat.com/CVE-2014-3530

Code Behaviors & Features

Detect and mitigate CVE-2014-3530 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →