CVE-2018-1000651

An attacker can exploit this vulnerability by submitting a specially crafted XML file to the application. This XML file would contain a reference to an external entity, which the XML parser would then process. The processing of this external entity can lead to various impacts, including the disclosure of confidential data, denial of service, server-side request forgery, and port scanning [ref_id=1].

The vulnerability exists in the XMLParser component of Stroom. Specifically, the code snippet provided shows the usage of `XMLReader` without disabling entities: `final XMLReader xmlReader = parser.getXMLReader(); xmlReader.setErrorHandler(new FatalErrorHandler()); xmlReader.setContentHandler(handler); xmlReader.parse(new InputSource(reader));` [ref_id=1].

The advisory does not specify the exact fix applied to resolve this vulnerability. However, the general remediation for XML External Entity (XXE) vulnerabilities involves configuring the XML parser to disable the resolution of external entities. This prevents the parser from fetching and processing external resources, thereby mitigating the risks associated with XXE attacks [ref_id=1].