Exploitable bypass for XXE fix

Description

Hello,

as part of security research I've found an exploitable bypass of the XXE fix of the 2.7.1.1 release, which renders the fix useless.

In order to avoid direct risk to customers (including mine) running GeoServer (even the current 2.7.1.1 release) I do not yet post any exploitation details here, unless you ask me to post it here. Better contact me directly for information about the bypass and the steps to fix it (mail@Christian-Schneider.net).

Best regards & many thanks,
Christian Schneider

@cschneider4711

Environment

None

Status

Assignee

Torben Barsballe

Reporter

Christian Schneider

Triage

None

Fix versions

Affects versions

2.8-M0
2.5.5.1
2.8-beta
2.7.1.1
2.6.4

Components

Priority

High
Configure