BDSA-2018-5289 Mozilla Rhino - 1.7.7.2 #2112
Description
Mozilla Rhino is vulnerable to XML external entities (XXE) due to an insecure XML parsing in the toXml function. Applications that use this function to accept untrusted input could be vulnerable to information disclosure and minor integrity and availability impacts due to the requests sent and local files accessed by the external entities in the crafted XML document.
Transitive dependency brought in by the following components:
maven: io.swagger.parser.v3:swagger-parser:2.1.22
maven: io.swagger.parser.v3:swagger-parser-v2-converter:2.1.22
maven: io.swagger:swagger-compat-spec-parser:1.0.70
maven: com.github.java-json-tools:json-schema-validator:2.2.14
maven: com.github.java-json-tools:json-schema-core:1.2.14
maven: org.mozilla:rhino:1.7.7.2
This library is not updated for more than 4 years and its full of vulnerabilities.
JSON Schema Core » 1.2.14
Rhino most updated version is 1.7.15 has no vulnerabilities known to this moment.
The issue clearly is the dependency on json-schema-validator:2.2.14 and json-schema-core:1.2.14