[jira] [Updated] (KARAF-4217) XML External Entity Injection
[ https://issues.apache.org/jira/browse/KARAF-4217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4217: Fix Version/s: (was: 4.1.0) 4.1.1 > XML External Entity Injection > - > > Key: KARAF-4217 > URL: https://issues.apache.org/jira/browse/KARAF-4217 > Project: Karaf > Issue Type: Bug >Affects Versions: 4.0.3 >Reporter: Eduardo Aguinaga > Fix For: 4.0.9, 4.1.1 > > > HP Fortify SCA and SciTools Understand were used to perform an application > security analysis on the karaf source code. > XML parser configured in MavenConfigService.java:74 does not prevent nor > limit external entities resolution. This can expose the parser to an XML > External Entities attack. See external issue URL. > File: > bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java > Line: 74 > MavenConfigService.java, lines 66-76: > {code} > 66 static String getLocalRepoFromConfig(Dictionarydict) > throws XMLStreamException, FileNotFoundException { > 67 String path = null; > 68 if (dict != null) { > 69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository"); > 70 if (path == null) { > 71 String settings = (String) > dict.get("org.ops4j.pax.url.mvn.settings"); > 72 if (settings != null) { > 73 File file = new File(settings); > 74 XMLStreamReader reader = > XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file)); > 75 try { > 76 int event; > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (KARAF-4217) XML External Entity Injection
[ https://issues.apache.org/jira/browse/KARAF-4217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4217: Fix Version/s: (was: 4.0.8) 4.0.9 > XML External Entity Injection > - > > Key: KARAF-4217 > URL: https://issues.apache.org/jira/browse/KARAF-4217 > Project: Karaf > Issue Type: Bug >Affects Versions: 4.0.3 >Reporter: Eduardo Aguinaga > Fix For: 4.1.0, 4.0.9 > > > HP Fortify SCA and SciTools Understand were used to perform an application > security analysis on the karaf source code. > XML parser configured in MavenConfigService.java:74 does not prevent nor > limit external entities resolution. This can expose the parser to an XML > External Entities attack. See external issue URL. > File: > bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java > Line: 74 > MavenConfigService.java, lines 66-76: > {code} > 66 static String getLocalRepoFromConfig(Dictionarydict) > throws XMLStreamException, FileNotFoundException { > 67 String path = null; > 68 if (dict != null) { > 69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository"); > 70 if (path == null) { > 71 String settings = (String) > dict.get("org.ops4j.pax.url.mvn.settings"); > 72 if (settings != null) { > 73 File file = new File(settings); > 74 XMLStreamReader reader = > XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file)); > 75 try { > 76 int event; > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (KARAF-4217) XML External Entity Injection
[ https://issues.apache.org/jira/browse/KARAF-4217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4217: Fix Version/s: (was: 4.0.6) 4.0.7 > XML External Entity Injection > - > > Key: KARAF-4217 > URL: https://issues.apache.org/jira/browse/KARAF-4217 > Project: Karaf > Issue Type: Bug >Affects Versions: 4.0.3 >Reporter: Eduardo Aguinaga > Fix For: 4.1.0, 4.0.7 > > > HP Fortify SCA and SciTools Understand were used to perform an application > security analysis on the karaf source code. > XML parser configured in MavenConfigService.java:74 does not prevent nor > limit external entities resolution. This can expose the parser to an XML > External Entities attack. See external issue URL. > File: > bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java > Line: 74 > MavenConfigService.java, lines 66-76: > {code} > 66 static String getLocalRepoFromConfig(Dictionarydict) > throws XMLStreamException, FileNotFoundException { > 67 String path = null; > 68 if (dict != null) { > 69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository"); > 70 if (path == null) { > 71 String settings = (String) > dict.get("org.ops4j.pax.url.mvn.settings"); > 72 if (settings != null) { > 73 File file = new File(settings); > 74 XMLStreamReader reader = > XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file)); > 75 try { > 76 int event; > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (KARAF-4217) XML External Entity Injection
[ https://issues.apache.org/jira/browse/KARAF-4217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4217: Fix Version/s: 4.0.6 4.1.0 > XML External Entity Injection > - > > Key: KARAF-4217 > URL: https://issues.apache.org/jira/browse/KARAF-4217 > Project: Karaf > Issue Type: Bug >Affects Versions: 4.0.3 >Reporter: Eduardo Aguinaga > Fix For: 4.1.0, 4.0.6 > > > HP Fortify SCA and SciTools Understand were used to perform an application > security analysis on the karaf source code. > XML parser configured in MavenConfigService.java:74 does not prevent nor > limit external entities resolution. This can expose the parser to an XML > External Entities attack. See external issue URL. > File: > bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java > Line: 74 > MavenConfigService.java, lines 66-76: > {code} > 66 static String getLocalRepoFromConfig(Dictionarydict) > throws XMLStreamException, FileNotFoundException { > 67 String path = null; > 68 if (dict != null) { > 69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository"); > 70 if (path == null) { > 71 String settings = (String) > dict.get("org.ops4j.pax.url.mvn.settings"); > 72 if (settings != null) { > 73 File file = new File(settings); > 74 XMLStreamReader reader = > XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file)); > 75 try { > 76 int event; > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (KARAF-4217) XML External Entity Injection
[ https://issues.apache.org/jira/browse/KARAF-4217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4217: Description: HP Fortify SCA and SciTools Understand were used to perform an application security analysis on the karaf source code. XML parser configured in MavenConfigService.java:74 does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack. See external issue URL. File: bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java Line: 74 MavenConfigService.java, lines 66-76: {code} 66 static String getLocalRepoFromConfig(Dictionarydict) throws XMLStreamException, FileNotFoundException { 67 String path = null; 68 if (dict != null) { 69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository"); 70 if (path == null) { 71 String settings = (String) dict.get("org.ops4j.pax.url.mvn.settings"); 72 if (settings != null) { 73 File file = new File(settings); 74 XMLStreamReader reader = XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file)); 75 try { 76 int event; {code} was: HP Fortify SCA and SciTools Understand were used to perform an application security analysis on the karaf source code. XML parser configured in MavenConfigService.java:74 does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack. See external issue URL. File: bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java Line: 74 MavenConfigService.java, lines 66-76: 66 static String getLocalRepoFromConfig(Dictionary dict) throws XMLStreamException, FileNotFoundException { 67 String path = null; 68 if (dict != null) { 69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository"); 70 if (path == null) { 71 String settings = (String) dict.get("org.ops4j.pax.url.mvn.settings"); 72 if (settings != null) { 73 File file = new File(settings); 74 XMLStreamReader reader = XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file)); 75 try { 76 int event; > XML External Entity Injection > - > > Key: KARAF-4217 > URL: https://issues.apache.org/jira/browse/KARAF-4217 > Project: Karaf > Issue Type: Bug >Affects Versions: 4.0.3 >Reporter: Eduardo Aguinaga > > HP Fortify SCA and SciTools Understand were used to perform an application > security analysis on the karaf source code. > XML parser configured in MavenConfigService.java:74 does not prevent nor > limit external entities resolution. This can expose the parser to an XML > External Entities attack. See external issue URL. > File: > bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java > Line: 74 > MavenConfigService.java, lines 66-76: > {code} > 66 static String getLocalRepoFromConfig(Dictionary dict) > throws XMLStreamException, FileNotFoundException { > 67 String path = null; > 68 if (dict != null) { > 69 path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository"); > 70 if (path == null) { > 71 String settings = (String) > dict.get("org.ops4j.pax.url.mvn.settings"); > 72 if (settings != null) { > 73 File file = new File(settings); > 74 XMLStreamReader reader = > XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file)); > 75 try { > 76 int event; > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)