Abhishek Chauhan created CXF-8245:
-------------------------------------
Summary: Vulnerable "woodstox-core" is present inside Tika 1.23
Key: CXF-8245
URL: https://issues.apache.org/jira/browse/CXF-8245
Project: CXF
Issue Type: Bug
Environment: *Short Description:* woodstox-core is a transitive
dependency of Apache Tika. Checked the pom inside tika-app-1.23.jar, it seems
that it is internally using 5.0.3 version of woodstox-core, which is vulnerable.
*Root Cause :* tika-app-1.23.jar; com/ctc/wstx/sax/WstxSAXParserFactory.class :
[5.0.1 , 5.3.0]
*Vulnerability*: The woodstox-core package is vulnerable to Improper
Restriction ofXML eXternal Entity [XXE] Reference. The setFeature and
getFeature methods in WstxSAXParserFactory.class rely on the mSecureProcessing
boolean value to be able to securely parse input XML. The boolean value,
however, is set to false by default. Additionally, the class lacks support for
properties XMLConstants.FEATURE_SECURE_PROCESSING and
XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, which can make it possible for
an attacker to conduct XXE attacks.
This vulnerability is addressed in the issue
[https://github.com/FasterXML/woodstox/issues/61]
*Solution of the Vulnerability*: Issue
[https://github.com/FasterXML/woodstox/issues/61] is fixed in version 5.3.0 of
woodstox-core. Tika may need to upgrade the version of this dependency, so
consumers are not affected by transitive dependency.
Reporter: Abhishek Chauhan
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
