DerScanner
Home / Vulnerability Database / Java : XML decoder injection
Java

Java : XML decoder injection

Classification

OWASP Top 10 2013
A1-Injection
OWASP Top 10 2017
A1-InjectionA8-Insecure Deserialization
OWASP Top 10 2021
A3-InjectionA8-Software and Data Integrity Failures
OWASP MASVS
V6: 6.8.(L1/L2/L1+R/L2+R)
OWASP ASVS
Validation, Sanitization and EncodingValidation, Sanitization and Encoding
PCI DSS 4.0
6.2.4
CWE
CWE-1027

Overview

The application deserializes unvalidated XML file from an untrusted source using java.beans.XMLDecoder. This allows an attacker to execute arbitrary malicious code on the server.

JDK XMLEncoder and XMLDecoder classes provide simple methods for the permanent storage of objects by serializing them into XML documents.XMLDecoder also allows the developer to serialize method calls. If an attacker can specify XML-document that will be deserialized by the XMLDecoder class, he will be able to execute arbitrary malicious code on the server.

References

  1. OWASP: Testing for XML Injection
  2. OWASP Top 10 2017-A1-Injection
  3. OWASP Top 10 2013-A1-Injection
  4. CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
  5. CWE-116: Improper Encoding or Escaping of Output
  6. XMLDecoder - docs.oracle.com
  7. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
LOW

DerScanner Severity Score

Do you want to fix Java : XML decoder injection in your application?

See also

Java

Java : Race condition

Java

Java : Text4Shell Vulnerability

Java

Java : JNI usage