VYPR
← All advisories
High severityNVD Advisory· Published Jul 22, 2014· Updated May 6, 2026

CVE-2014-3530

CVE-2014-3530

Description

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.picketlink:picketlink-commonMaven
< 2.7.0.Final2.7.0.Final

Patches

1
8c78668e4f08

[PLINK-509] setting required parser features

https://github.com/picketlink/picketlinkPeter SkopekJul 1, 2014via ghsa
commit
3 files changed · +22 0
  • modules/common/src/main/java/org/picketlink/common/DefaultPicketLinkLogger.java+5 0 modified
    @@ -2374,4 +2374,9 @@ public RuntimeException cannotSetMaxPoolSizeToNegative(String max) {
         return new RuntimeException("Cannot set maximum STS client pool size to negative number (" + max + ")");
     }
 
+    @Override
+    public RuntimeException parserFeatureNotSupported(String feature) {
+        return new RuntimeException("Parser feature " + feature + " not supported.");
+    }
+
 }
  • modules/common/src/main/java/org/picketlink/common/PicketLinkLogger.java+2 0 modified
    @@ -1215,4 +1215,6 @@ public interface PicketLinkLogger {
 
     RuntimeException cannotSetMaxPoolSizeToNegative(String max);
 
+    RuntimeException parserFeatureNotSupported(String feature);
+
 }
\ No newline at end of file
  • modules/common/src/main/java/org/picketlink/common/util/DocumentUtil.java+15 0 modified
    @@ -66,6 +66,10 @@ public class DocumentUtil {
 
     private static DocumentBuilderFactory documentBuilderFactory;
 
+    public static final String feature_external_general_entities = "http://xml.org/sax/features/external-general-entities";
+    public static final String feature_external_parameter_entities = "http://xml.org/sax/features/external-parameter-entities";
+    public static final String feature_disallow_doctype_decl = "http://apache.org/xml/features/disallow-doctype-decl";
+
     /**
      * Check whether a node belongs to a document
      *
@@ -517,6 +521,17 @@ private static DocumentBuilderFactory getDocumentBuilderFactory() {
                 documentBuilderFactory = DocumentBuilderFactory.newInstance();
                 documentBuilderFactory.setNamespaceAware(true);
                 documentBuilderFactory.setXIncludeAware(true);
+                String feature = "";
+                try {
+                    feature = feature_disallow_doctype_decl;
+                    documentBuilderFactory.setFeature(feature, true);
+                    feature = feature_external_general_entities;
+                    documentBuilderFactory.setFeature(feature, false);
+                    feature = feature_external_parameter_entities;
+                    documentBuilderFactory.setFeature(feature, false);
+                } catch (ParserConfigurationException e) {
+                    throw logger.parserFeatureNotSupported(feature);
+                }
             } finally {
                 if (tccl_jaxp) {
                     SecurityActions.setTCCL(prevTCCL);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

18

News mentions

0

No linked articles in our index yet.