[
https://issues.apache.org/jira/browse/TIKA-3074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17061132#comment-17061132
]
Tim Allison commented on TIKA-3074:
-----------------------------------
Thank you for opening this issue. Given that we just released 1.24 a few hours
ago, I think there's time to get this updated in cxf before our next release.
Would you be able to open an issue there and link to this issue?
> Vulnerable "woodstox-core" is present inside Tika 1.23
> ------------------------------------------------------
>
> Key: TIKA-3074
> URL: https://issues.apache.org/jira/browse/TIKA-3074
> Project: Tika
> Issue Type: Bug
> Reporter: Abhishek Chauhan
> Priority: Major
>
> *Short Description:* woodstox-core is a transitive dependency of Apache
> Tika. Checked the pom inside tika-app-1.23.jar, it seems that it is
> internally using 5.0.3 version of woodstox-core, which is vulnerable.
> *Root Cause :* tika-app-1.23.jar; com/ctc/wstx/sax/WstxSAXParserFactory.class
> : [5.0.1 , 5.3.0]
> *Vulnerability*: The woodstox-core package is vulnerable to Improper
> Restriction ofXML eXternal Entity [XXE] Reference. The setFeature and
> getFeature methods in WstxSAXParserFactory.class rely on the
> mSecureProcessing boolean value to be able to securely parse input XML. The
> boolean value, however, is set to false by default. Additionally, the class
> lacks support for properties XMLConstants.FEATURE_SECURE_PROCESSING and
> XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, which can make it possible
> for an attacker to conduct XXE attacks.
> This vulnerability is addressed in the issue
> [https://github.com/FasterXML/woodstox/issues/61]
> *Solution of the Vulnerability*: Issue
> [https://github.com/FasterXML/woodstox/issues/61] is fixed in version 5.3.0
> of woodstox-core. Tika may need to upgrade the version of this dependency,
> so consumers are not affected by transitive dependency.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
