https://bugzilla.redhat.com/show_bug.cgi?id=1887664
--- Comment #62 from Jonathan Christison jochrist@redhat.com --- Further to comment#33 and marking Red Hat Fuse 7 and Red Hat Integration Camel K as having a moderate impact we believe a low impact is more appropriate and better represents Red Hat's specification of a low impact flaw - https://access.redhat.com/security/updates/classification
Which describes low impact vulnerabilities as "These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited".
In the case of jackson-databind `DomDeserializer` actually being called it we believe those unlikely circumstances to be
*) Camel components making use of jackson-databind do not expose this functionality
*) There are specialised components in camel to parse and deserialize DOM such as camel-jacksonxml which relies on jackson-dataformat-xml, jackson-dataformat-xml is not vulnerable to this XXE flaw
*) We believe the usage pattern is itself unlikely and can find no further evidence of implicit use
```java ObjectMapper mapper = new ObjectMapper(); Document doc = mapper.readValue(""<badxml/>"", Document.class); ```
java-sig-commits@lists.fedoraproject.org