[ 
https://issues.apache.org/jira/browse/KARAF-4217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jean-Baptiste Onofré updated KARAF-4217:
----------------------------------------
    Fix Version/s:     (was: 4.0.7)
                   4.0.8

> XML External Entity Injection
> -----------------------------
>
>                 Key: KARAF-4217
>                 URL: https://issues.apache.org/jira/browse/KARAF-4217
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>             Fix For: 4.1.0, 4.0.8
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application 
> security analysis on the karaf source code.
> XML parser configured in MavenConfigService.java:74 does not prevent nor 
> limit external entities resolution. This can expose the parser to an XML 
> External Entities attack. See external issue URL.
> File: 
> bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
> Line: 74
> MavenConfigService.java, lines 66-76:
> {code}
> 66 static String getLocalRepoFromConfig(Dictionary<String, Object> dict) 
> throws XMLStreamException, FileNotFoundException {
> 67     String path = null;
> 68     if (dict != null) {
> 69         path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository");
> 70         if (path == null) {
> 71             String settings = (String) 
> dict.get("org.ops4j.pax.url.mvn.settings");
> 72             if (settings != null) {
> 73                 File file = new File(settings);
> 74                 XMLStreamReader reader = 
> XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file));
> 75                 try {
> 76                     int event;
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to