[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16476964#comment-16476964 ]
ASF subversion and git services commented on LUCENE-8291: --------------------------------------------------------- Commit 3a73d4b2d60af89b1b88dcf2e484d73927a46bb1 in lucene-solr's branch refs/heads/master from [~thetaphi] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=3a73d4b ] LUCENE-8291: Remove untested/unmaintained demo webapp > Possible security issue when parsing XML documents containing external entity > references > ---------------------------------------------------------------------------------------- > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser > Affects Versions: 7.2.1 > Reporter: Hendrik Saly > Assignee: Uwe Schindler > Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org