[ https://issues.apache.org/jira/browse/HDFS-16766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Akira Ajisaka resolved HDFS-16766. ---------------------------------- Fix Version/s: 3.4.0 3.3.9 3.2.5 Resolution: Fixed Committed to trunk, branch-3.3, and branch-3.2. Thank you [~Du] for your report and thank you [~groot] for your fix! > XML External Entity (XXE) attacks can occur while processing XML received > from an untrusted source > -------------------------------------------------------------------------------------------------- > > Key: HDFS-16766 > URL: https://issues.apache.org/jira/browse/HDFS-16766 > Project: Hadoop HDFS > Issue Type: Bug > Components: security > Affects Versions: 3.3.4 > Reporter: Jing > Assignee: Ashutosh Gupta > Priority: Major > Labels: pull-request-available > Fix For: 3.4.0, 3.3.9, 3.2.5 > > > XML External Entity (XXE) attacks can occur when an XML parser supports XML > entities while processing XML received from an untrusted source. The attack > resides in XML input containing references to an external entity an is parsed > by the weakly configured javax.xml.parsers.DocumentBuilder XML parser. > > https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java#L93 -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org