Josh Elser created ACCUMULO-4534:
------------------------------------
Summary: Remove XML external entity issue in RestoreZooKeeper
Key: ACCUMULO-4534
URL: https://issues.apache.org/jira/browse/ACCUMULO-4534
Project: Accumulo
Issue Type: Bug
Reporter: Josh Elser
Assignee: Josh Elser
Fix For: 1.7.3, 1.8.1, 2.0.0
There appears to be an issue in RestoreZooKeeper in which the tool may, with
specially crafted XML, load external files on the system. I'm not going the
normal vulnerability route with this because the command is executed by a user
on an XML file they provide (so, the vector is that you attacked yourself out
of ignorance).
However, it would still be good to remove this as a possibility since it's very
simple. This was found by a static analysis tool.
For more info,
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
is a good writeup.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
