7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10172

GHSA ID

GHSA-r6j9-8759-g62w

EPSS Score

0.67645%

CWE

CWE-611

Published

2/4/2020

Updated

2/15/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10172

CVE-2019-10172:
Improper Restriction of XML External Entity Reference in jackson-mapper-asl

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar to CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10172

GHSA ID

GHSA-r6j9-8759-g62w

EPSS Score

0.67645%

CWE

CWE-611

Published

2/4/2020

Updated

2/15/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.codehaus.jackson:jackson-mapper-asl	maven	<= 1.9.13

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (CWE-611) stems from improper restriction of XML external entity references. Jackson's XML parsing in affected versions uses XmlFactory, which does not disable DTD/external entities by default. The readValue method (common entry point for deserialization) and XmlMapper's factory setup are critical points where insecure parser configurations would propagate. This matches the pattern of CVE-2016-3720 but in different classes, as stated in the advisory. The lack of patched versions and references to XML entity handling in the CVE description further support this analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in or*.*o****us.j**kson:j**kson-m*pp*r-*sl:*.*.x li*r*ri*s. XML *xt*rn*l *ntity vuln*r**iliti*s simil*r to *V*-****-**** *lso *****ts *o****us j**kson-m*pp*r-*sl li*r*ri*s *ut in *i***r*nt *l*ss*s.

Reasoning

T** vuln*r**ility (*W*-***) st*ms *rom improp*r r*stri*tion o* XML *xt*rn*l *ntity r***r*n**s. J**kson's XML p*rsin* in *****t** v*rsions us*s `Xml***tory`, w*i** *o*s not *is**l* *T*/*xt*rn*l *ntiti*s *y ****ult. T** `r***V*lu*` m*t*o* (*ommon *ntry

7.5

Basic Information

Concerned about an active attack path?

CVE-2019-10172: Improper Restriction of XML External Entity Reference in jackson-mapper-asl

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-10172:
Improper Restriction of XML External Entity Reference in jackson-mapper-asl

Vulnerability Intelligence
Miggo AI