[
https://issues.apache.org/jira/browse/TINKERPOP-2589?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephen Mallette closed TINKERPOP-2589.
---------------------------------------
Fix Version/s: 3.5.2
3.4.13
3.6.0
Assignee: Stephen Mallette
Resolution: Fixed
Fixed as CTR:
https://github.com/apache/tinkerpop/commit/7c2c4f37e261592fb42a97701ad620b5bfcb0bd7
> XML External Entity (XXE) vulnerability
> ---------------------------------------
>
> Key: TINKERPOP-2589
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2589
> Project: TinkerPop
> Issue Type: Bug
> Components: structure
> Affects Versions: 3.4.11
> Reporter: Saikiran Boga
> Assignee: Stephen Mallette
> Priority: Major
> Fix For: 3.6.0, 3.4.13, 3.5.2
>
>
> Found this from a security vulnerability scan. The following usage in
> gremlin-core package allows reading XML input stream and could potentially
> lead to XXE attack.
> In general, when XML input containing a reference to an external entity is
> processed by a weakly configured XML parser, it can lead to an XML external
> entity (XXE) attack.
> [https://github.com/apache/tinkerpop/blob/master/gremlin-core/src/main/java/org/apache/tinkerpop/gremlin/structure/io/graphml/GraphMLReader.java#L396]
> More details on the vulnerability:
> [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing]
> How to Fix:
> [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser]
>
> Setting these properties on the XML factory should fix this:
> {code:java}
> inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
> false);
> inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
