Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.eclipse.jetty:jetty-xml.
Advisories for Maven/Org.eclipse.jetty/Jetty-Xml package
2023
Eclipse Jetty XmlParser allows arbitrary DOCTYPE declarations
There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit XmlParser the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated …