[jira] [Updated] (KARAF-4217) XML External Entity Injection
[
https://issues.apache.org/jira/browse/KARAF-4217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4217:
Fix Version/s: (was: 4.1.0)
4.1.1
> XML External Entity Injection
> -
>
> Key: KARAF-4217
> URL: https://issues.apache.org/jira/browse/KARAF-4217
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.0.9, 4.1.1
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> XML parser configured in MavenConfigService.java:74 does not prevent nor
> limit external entities resolution. This can expose the parser to an XML
> External Entities attack. See external issue URL.
> File:
> bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
> Line: 74
> MavenConfigService.java, lines 66-76:
> {code}
> 66 static String getLocalRepoFromConfig(Dictionary dict)
> throws XMLStreamException, FileNotFoundException {
> 67 String path = null;
> 68 if (dict != null) {
> 69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository");
> 70 if (path == null) {
> 71 String settings = (String)
> dict.get("org.ops4j.pax.url.mvn.settings");
> 72 if (settings != null) {
> 73 File file = new File(settings);
> 74 XMLStreamReader reader =
> XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file));
> 75 try {
> 76 int event;
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4217) XML External Entity Injection
[
https://issues.apache.org/jira/browse/KARAF-4217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4217:
Fix Version/s: (was: 4.0.8)
4.0.9
> XML External Entity Injection
> -
>
> Key: KARAF-4217
> URL: https://issues.apache.org/jira/browse/KARAF-4217
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.9
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> XML parser configured in MavenConfigService.java:74 does not prevent nor
> limit external entities resolution. This can expose the parser to an XML
> External Entities attack. See external issue URL.
> File:
> bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
> Line: 74
> MavenConfigService.java, lines 66-76:
> {code}
> 66 static String getLocalRepoFromConfig(Dictionary dict)
> throws XMLStreamException, FileNotFoundException {
> 67 String path = null;
> 68 if (dict != null) {
> 69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository");
> 70 if (path == null) {
> 71 String settings = (String)
> dict.get("org.ops4j.pax.url.mvn.settings");
> 72 if (settings != null) {
> 73 File file = new File(settings);
> 74 XMLStreamReader reader =
> XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file));
> 75 try {
> 76 int event;
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4217) XML External Entity Injection
[
https://issues.apache.org/jira/browse/KARAF-4217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4217:
Fix Version/s: (was: 4.0.6)
4.0.7
> XML External Entity Injection
> -
>
> Key: KARAF-4217
> URL: https://issues.apache.org/jira/browse/KARAF-4217
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.7
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> XML parser configured in MavenConfigService.java:74 does not prevent nor
> limit external entities resolution. This can expose the parser to an XML
> External Entities attack. See external issue URL.
> File:
> bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
> Line: 74
> MavenConfigService.java, lines 66-76:
> {code}
> 66 static String getLocalRepoFromConfig(Dictionary dict)
> throws XMLStreamException, FileNotFoundException {
> 67 String path = null;
> 68 if (dict != null) {
> 69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository");
> 70 if (path == null) {
> 71 String settings = (String)
> dict.get("org.ops4j.pax.url.mvn.settings");
> 72 if (settings != null) {
> 73 File file = new File(settings);
> 74 XMLStreamReader reader =
> XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file));
> 75 try {
> 76 int event;
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4217) XML External Entity Injection
[
https://issues.apache.org/jira/browse/KARAF-4217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4217:
Fix Version/s: 4.0.6
4.1.0
> XML External Entity Injection
> -
>
> Key: KARAF-4217
> URL: https://issues.apache.org/jira/browse/KARAF-4217
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.6
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> XML parser configured in MavenConfigService.java:74 does not prevent nor
> limit external entities resolution. This can expose the parser to an XML
> External Entities attack. See external issue URL.
> File:
> bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
> Line: 74
> MavenConfigService.java, lines 66-76:
> {code}
> 66 static String getLocalRepoFromConfig(Dictionary dict)
> throws XMLStreamException, FileNotFoundException {
> 67 String path = null;
> 68 if (dict != null) {
> 69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository");
> 70 if (path == null) {
> 71 String settings = (String)
> dict.get("org.ops4j.pax.url.mvn.settings");
> 72 if (settings != null) {
> 73 File file = new File(settings);
> 74 XMLStreamReader reader =
> XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file));
> 75 try {
> 76 int event;
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4217) XML External Entity Injection
[
https://issues.apache.org/jira/browse/KARAF-4217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4217:
Description:
HP Fortify SCA and SciTools Understand were used to perform an application
security analysis on the karaf source code.
XML parser configured in MavenConfigService.java:74 does not prevent nor limit
external entities resolution. This can expose the parser to an XML External
Entities attack. See external issue URL.
File:
bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
Line: 74
MavenConfigService.java, lines 66-76:
{code}
66 static String getLocalRepoFromConfig(Dictionary dict) throws
XMLStreamException, FileNotFoundException {
67 String path = null;
68 if (dict != null) {
69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository");
70 if (path == null) {
71 String settings = (String)
dict.get("org.ops4j.pax.url.mvn.settings");
72 if (settings != null) {
73 File file = new File(settings);
74 XMLStreamReader reader =
XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file));
75 try {
76 int event;
{code}
was:
HP Fortify SCA and SciTools Understand were used to perform an application
security analysis on the karaf source code.
XML parser configured in MavenConfigService.java:74 does not prevent nor limit
external entities resolution. This can expose the parser to an XML External
Entities attack. See external issue URL.
File:
bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
Line: 74
MavenConfigService.java, lines 66-76:
66 static String getLocalRepoFromConfig(Dictionary dict) throws
XMLStreamException, FileNotFoundException {
67 String path = null;
68 if (dict != null) {
69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository");
70 if (path == null) {
71 String settings = (String)
dict.get("org.ops4j.pax.url.mvn.settings");
72 if (settings != null) {
73 File file = new File(settings);
74 XMLStreamReader reader =
XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file));
75 try {
76 int event;
> XML External Entity Injection
> -
>
> Key: KARAF-4217
> URL: https://issues.apache.org/jira/browse/KARAF-4217
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> XML parser configured in MavenConfigService.java:74 does not prevent nor
> limit external entities resolution. This can expose the parser to an XML
> External Entities attack. See external issue URL.
> File:
> bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
> Line: 74
> MavenConfigService.java, lines 66-76:
> {code}
> 66 static String getLocalRepoFromConfig(Dictionary dict)
> throws XMLStreamException, FileNotFoundException {
> 67 String path = null;
> 68 if (dict != null) {
> 69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository");
> 70 if (path == null) {
> 71 String settings = (String)
> dict.get("org.ops4j.pax.url.mvn.settings");
> 72 if (settings != null) {
> 73 File file = new File(settings);
> 74 XMLStreamReader reader =
> XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file));
> 75 try {
> 76 int event;
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
