[jira] [Assigned] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references

Uwe Schindler (JIRA) Sun, 06 May 2018 05:16:46 -0700

     [ 
https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Uwe Schindler reassigned LUCENE-8291:
-------------------------------------

    Assignee: Uwe Schindler

> Possible security issue when parsing XML documents containing external entity 
> references
> ----------------------------------------------------------------------------------------
>
>                 Key: LUCENE-8291
>                 URL: https://issues.apache.org/jira/browse/LUCENE-8291
>             Project: Lucene - Core
>          Issue Type: Bug
>          Components: modules/queryparser
>    Affects Versions: 7.2.1
>            Reporter: Hendrik Saly
>            Assignee: Uwe Schindler
>            Priority: Critical
>              Labels: security
>
> It appears that in QueryTemplateManager.java lines 149 and 198 and in 
> DOMUtils.java line 204 XML is parsed without disabling external entity 
> references (XXE). This is described in 
> [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are 
> listed here: 
> [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet]
> [https://www.cvedetails.com/cve/CVE-2014-6517/] is also related.
> All recent versions of lucene are affected.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Assigned] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references

Reply via email to