CVE-2016-3720
Description
Jackson's XmlMapper is vulnerable to XXE, allowing attackers to read internal files or perform SSRF via crafted XML input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jackson's XmlMapper is vulnerable to XXE, allowing attackers to read internal files or perform SSRF via crafted XML input.
Vulnerability
Jackson's jackson-dataformat-xml before version 2.7.4 contains an XXE vulnerability in the XmlMapper class [2]. The vulnerability occurs when the component parses XML input without disabling external entity processing, allowing attackers to inject malicious XML external entities [2].
Exploitation
An attacker can exploit this by providing a crafted XML input containing an external entity reference to the XmlMapper parser [2]. No authentication is required, and the attack can be performed remotely over the network if the application parses untrusted XML data [2].
Impact
Successful exploitation can lead to information disclosure (e.g., reading local files), server-side request forgery (SSRF), or denial of service through entity expansion [2]. The exact impact depends on the application context and permissions [2].
Mitigation
Upgrade to jackson-dataformat-xml version 2.7.4 or later [2]. If upgrading immediately is not possible, ensure that XML external entity processing is disabled in the XML parser configuration (e.g., using XMLInputFactory settings) [2]. The vulnerability is not listed on the CISA KEV as of now.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.dataformat:jackson-dataformat-xmlMaven | < 2.7.4 | 2.7.4 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- lists.fedoraproject.org/pipermail/package-announce/2016-May/184561.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-hmq6-frv3-4727ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-3720ghsaADVISORY
News mentions
0No linked articles in our index yet.