Eduardo Aguinaga created KARAF-4217: ---------------------------------------
Summary: XML External Entity Injection Key: KARAF-4217 URL: https://issues.apache.org/jira/browse/KARAF-4217 Project: Karaf Issue Type: Bug Affects Versions: 4.0.3 Reporter: Eduardo Aguinaga HP Fortify SCA and SciTools Understand were used to perform an application security analysis on the karaf source code. XML parser configured in MavenConfigService.java:74 does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack. See external issue URL. File: bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java Line: 74 MavenConfigService.java, lines 66-76: 66 static String getLocalRepoFromConfig(Dictionary<String, Object> dict) throws XMLStreamException, FileNotFoundException { 67 String path = null; 68 if (dict != null) { 69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository"); 70 if (path == null) { 71 String settings = (String) dict.get("org.ops4j.pax.url.mvn.settings"); 72 if (settings != null) { 73 File file = new File(settings); 74 XMLStreamReader reader = XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file)); 75 try { 76 int event; -- This message was sent by Atlassian JIRA (v6.3.4#6332)