CVE-2016-15026: 
Java vulnerability analysis and mitigation

A vulnerability was identified in 3breadt dd-plist version 1.17 related to XML External Entity (XXE) attacks in the XML parsing functionality. The issue was discovered and addressed in version 1.18, released as part of security improvements to the library (DD-PLIST Release).

The vulnerability involved insufficient protection against XXE attacks in the XML parser implementation. The fix included implementing security controls recommended by OWASP, such as disabling external general entities and parameter entities, setting XInclude awareness to false, and preventing expansion of entity references. These changes were implemented while maintaining compatibility with both Java and Android environments (GitHub PR).

The vulnerability could potentially allow an attacker to perform XML External Entity (XXE) attacks through specially crafted XML files. XXE attacks can lead to disclosure of sensitive files, denial of service, server-side request forgery, port scanning and other system impacts (OWASP XXE).

The vulnerability was fixed in dd-plist version 1.18 by implementing proper XXE attack protections in the XML parser configuration. Users should upgrade to version 1.18 or later to receive the security fix (DD-PLIST Release).