CVE-2021-33813: 
Java vulnerability analysis and mitigation

An XXE (XML External Entity) issue was discovered in SAXBuilder in JDOM through version 2.0.6. The vulnerability was identified on June 3, 2021, and allows attackers to cause a denial of service via a crafted HTTP request (Aleph Security, NVD).

The vulnerability exists in the SAXBuilder class where the configuration of external-general-entities feature does not work as expected. Whether the feature is set to true or false, external-general-entities will use the value from the Expand Entity setting instead. This behavior could lead to XXE attacks, particularly billion laughs attacks, when parsing XML documents (Aleph Security).

When successfully exploited, the vulnerability can lead to denial of service attacks through XML entity expansion, potentially affecting system availability and resource consumption (Aleph Security, NVD).

As a temporary mitigation, users can add configuration for ExpandEntity to protect the parser from XXE by setting builder.setExpandEntities(false). The permanent fix was released in version 2.0.6.1, and users are recommended to upgrade to this version (JDOM Releases, Aleph Security).

The vulnerability has been acknowledged and addressed by multiple organizations, including Oracle who included fixes in their Critical Patch Updates, and various Linux distributions such as Fedora and Debian who released security updates for affected packages (Oracle CPU, Fedora Update).