亚博买球jinri�������,guowaianquanshequgongbuweixinzhifuguanfangsdkcunzaiyanzhongloudong�������,kedaozhishangjiafuwuqibeiruqin(raoguozhifu�������dexiaoguo)�������。muqian�������,loudongxiangxixinxiyijigongjifangshiyibeigongkai�������,yingxiangfanweijuda(yiyoumomo�������、vivoquerencunzaigailoudong)�������,jianyiyongdaojava sdk�������deyonghukuaisujianchabingxiufu�������,guanzhucunzaizhifuchangjing�������deyewuxitonganquan�������。
漏洞概述
亚博买球xmlwaibushitizhuru(xml external entity������,jianchengxxe):dangyunxuyinyongwaibushitishi������,tongguogouzaoeyineirong������,kedaozhiduqurenyiwenjian������、zhixingxitongmingling������、tanceneiwangduankou������、gongjineiwangwangzhandengweihai������。
漏洞危害
ciciloudongkeshigongjizhexiangtongzhiurlgoujianeyiyouxiaopayload������,yibiangenjuxuyaoqiequshangjiafuwuqi������derenhexinxi������。yidangongjizhehuodeshangjia������deguanjiananquanmiyao(md5-keyhemerchant-iddeng)������,tashenzhikeyitongguofasongweizaoxinxilaiqipianshangjiaerwuxufufeigoumairenhedongxi������。muqianweixinguanfangshangweiduisdkjinxingxiufu������。xianyiyoumomo������、vivoyijingyanzhengbeigailoudongyingxiang������。
受影响范围
weixinzhifuguanfangjava sdk
修复建议
亚博买球1������、yonghukeshiyongkaifayuyantigong������dejinyongwaibushiti������defangfa������。javajinyongwaibushiti������dedaimaruxia:
documentbuilderfactory dbf =documentbuilderfactory.newinstance(); dbf.setexpandentityreferences(false);
cankaolianjie:
