CVE-2021-2471 MySQL JDBC Connector XXE
Prior to MySQL Connector/J 8.0.27, the
getSource() method exists in
MysqlSQLXML, but the
getSource() method has no security check when external general entities included in XML sources, consequently, here exists a XXE vulnerability.
Set break piont at the
getSource() method, according to the source code, if the class is
DocumentBuilder will be utilized to parse the XML source data.
Unfortunately, there is no any security check when a new instance created. So we can construct a XML with external entities.
However, from MySQL Connector/J 8.0.27, security attributes are set up to check XML sources before the object instantiated.
Proof of Concept
In line with good XML practices, the getSource() method of MysqlSQLXML no longer supports external DTD, external general entities, and external general parameters in XML sources.
2021/07/10 Report to Oracle
2021/07/23 Fix the issue
2021/10/19 Credit and assign CVE number
2021/10/19 Release MySQL Connector/J 8.0.27