Review

XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint.

org/odata4j/stax2/staximpl/StaxXMLFactoryProvider2.java

newXMLInputFactory2()

class StaxXMLFactoryProvider2 {
  @Override
  public XMLInputFactory2 newXMLInputFactory2() {
    return new StaxXMLInputFactory2(XMLInputFactory.newInstance());
  }

}

class StaxXMLFactoryProvider2.StaxXMLInputFactory2 {
    public StaxXMLInputFactory2(XMLInputFactory factory) {
      this.factory = factory;
    }

}