[
https://issues.apache.org/jira/browse/JUDDI-987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16358615#comment-16358615
]
ASF subversion and git services commented on JUDDI-987:
-------------------------------------------------------
Commit 442fb55723cf1af1490395b2b005e787026801b3 in juddi's branch
refs/heads/master from [~spyhunter99]
[ https://git-wip-us.apache.org/repos/asf?p=juddi.git;h=442fb55 ]
JUDDI-987 adding security advisory
> CVE-2018-1307 XML Entity Expansion
> ----------------------------------
>
> Key: JUDDI-987
> URL: https://issues.apache.org/jira/browse/JUDDI-987
> Project: jUDDI
> Issue Type: Bug
> Components: core
> Affects Versions: 3.2, 3.2.1, 3.3, 3.3.1, 3.3.2, 3.3.3, 3.3.4
> Reporter: Alex O'Ree
> Assignee: Alex O'Ree
> Priority: Major
> Fix For: 3.3.5
>
>
> CVEID CVE-2018-1307
>
> VERSION: 3.2 through 3.3.4
>
> PROBLEMTYPE: XML Entity Expansion
>
> REFERENCES: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267]
>
> DISCRIPTION: If using the WADL2Java or WSDL2Java classes, which parse a local
> or remote XML document and then mediates the data structures into UDDI data
> structures, there are little protections present against entity expansion and
> DTD type of attacks. This was fixed with
> https://issues.apache.org/jira/browse/JUDDI-987
>
> Severity: Moderate
>
> Mitigation:
>
> Update your juddi-client dependencies to 3.3.5 or newer and/or discontinue
> use of the effected classes.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
