XXE s

• https://github.com/hazelcast/hazelcast/blob/14ef0dbefa4a6fa00a50a8873aeea02ec6c3f5e4/hazelcast/src/main/java/com/hazelcast/internal/config/AbstractXmlConfigRootTagRecognizer.java

• 参考：https://security.snyk.io/vuln/SNYK-JAVA-COMHAZELCAST-2415034

通用特征：

• 1. 调用a函数，污染成员变量。
• 1. 调用b函数，执行风险API。

• https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73
• 参考：https://security.snyk.io/vuln/SNYK-JAVA-COMMONITORJBL-2414470

• https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52

反序列化

• https://github.com/apache/cayenne/commit/3e57de7da4548d0a4a31970162a6d6d73ce72de0#diff-4f10967fe4cddc68e0d3f20e0090812bb089a52c0884fb5289d66c4ea6d6ad81
• https://github.com/apache/shardingsphere/commit/7065af6ac03aebfdb81150f10dd1c2fc7798cff8

• https://github.com/jenkinsci/jenkins/commit/8276aef4cc3dd81810fe6bdf6fa48141632c4636

DoS

• https://security.snyk.io/vuln/SNYK-JAVA-ORGOPENMRSWEB-2411024
•