XML External Entity attack in mapfish-print
Description
In mapfish-print before version 3.24, a user can do to an XML External Entity (XXE) attack with the provided SDL style.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.mapfish.print:print-libMaven | >= 3.0, < 3.24 | 3.24 |
org.mapfish.print:print-servletMaven | >= 3.0, < 3.24 | 3.24 |
org.mapfish.print:print-standaloneMaven | >= 3.0, < 3.24 | 3.24 |
Affected products
4- ghsa-coords3 versionspkg:maven/org.mapfish.print/print-libpkg:maven/org.mapfish.print/print-servletpkg:maven/org.mapfish.print/print-standalone
>= 3.0, < 3.24+ 2 more
- (no CPE)range: >= 3.0, < 3.24
- (no CPE)range: >= 3.0, < 3.24
- (no CPE)range: >= 3.0, < 3.24
- Range: < 3.24
Patches
Vulnerability mechanics
Root cause
"The XML parser used to process SDL style documents does not disable XML External Entity (XXE) processing, allowing an attacker to read local files or perform SSRF via crafted XML entities."
Attack vector
An attacker can craft a malicious SDL style document containing XML External Entity (XXE) references that point to local files or internal network resources [CWE-611]. When the MapFish Print server processes this SDL style, the XML parser resolves the external entities, potentially disclosing sensitive file contents or performing server-side request forgery. The attack requires the ability to supply a crafted SDL style to the print service, which can be done through the print request specification. No authentication is mentioned as a prerequisite in the advisory.
Affected code
The vulnerability resides in the `MapPrinterServlet` class and its handling of SDL style XML documents. The patch removes JSONP callback parameters from multiple endpoints (`getStatus`, `getCapabilities`, `listAppIds`, `getExampleRequest`) and disables XML external entity processing in the XML parser used for SDL styles. The test file `MapPrinterServletTest.java` is also updated to reflect the removed JSONP functionality.
What the fix does
The patch removes JSONP callback functionality from all servlet endpoints (`getStatus`, `getCapabilities`, `listAppIds`, `getExampleRequest`), which eliminates a potential vector for JSONP-based attacks. More importantly, the patch disables XML external entity processing in the XML parser used to parse SDL style documents, preventing XXE attacks. The diff shows the removal of the `jsonpCallback` parameter from method signatures and the corresponding test cases for JSONP responses. The advisory does not show the exact XML parser configuration change, but the commit message indicates it fixes security issues including the XXE vulnerability.
Preconditions
- inputAttacker must be able to supply a crafted SDL style document to the MapFish Print server
- configThe server must be running a version of mapfish-print before 3.24
- networkNetwork access to the print service endpoint is required
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-vjv6-gq77-3mjwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15232ghsaADVISORY
- github.com/mapfish/mapfish-print/pull/1397ghsaWEB
- github.com/mapfish/mapfish-print/pull/1397/commits/e1d0527d13db06b2b62ca7d6afb9e97dacd67a0eghsax_refsource_MISCWEB
- github.com/mapfish/mapfish-print/security/advisories/GHSA-vjv6-gq77-3mjwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.