CVE-2014-125087: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in java-xmlbuilder versions up to 1.1 (CVE-2014-125087). The vulnerability is related to XML external entity (XXE) processing and has been rated as critical with a CVSS score of 9.8. The issue affects the XML parsing functionality in the library, where external entities are enabled by default, potentially allowing for XXE injection attacks (CVE Details, MITRE).

The vulnerability stems from the default configuration of java-xmlbuilder that enables external general entities and external parameter entities in the DocumentBuilderFactory when create or parse methods are used. This configuration allows for XML External Entity (XXE) processing without explicit user control. The issue was addressed in version 1.2 through the implementation of explicit controls for external entity parsing, requiring developers to specifically enable this feature if needed (GitHub Commit).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, and potential Denial of Service (DoS). The critical CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates the severity of potential impacts (NetApp Advisory).

The vulnerability has been fixed in java-xmlbuilder version 1.2. The fix includes explicitly disabling external general and parameter entities by default, with the option to enable them only when specifically required through new versions of the create and parse methods. Users are strongly recommended to upgrade to version 1.2 or later to address this security issue (GitHub Release).