[ https://issues.apache.org/jira/browse/ACCUMULO-4534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15734365#comment-15734365 ]
Christopher Tubbs commented on ACCUMULO-4534: --------------------------------------------- Sure thing. I offered my comments on the PR. > Remove XML external entity issue in RestoreZooKeeper > ---------------------------------------------------- > > Key: ACCUMULO-4534 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4534 > Project: Accumulo > Issue Type: Bug > Reporter: Josh Elser > Assignee: Josh Elser > Fix For: 1.7.3, 1.8.1, 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > There appears to be an issue in RestoreZooKeeper in which the tool may, with > specially crafted XML, load external files on the system. I'm not going the > normal vulnerability route with this because the command is executed by a > user on an XML file they provide (so, the vector is that you attacked > yourself out of ignorance). > However, it would still be good to remove this as a possibility since it's > very simple. This was found by a static analysis tool. > For more info, > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet > is a good writeup. -- This message was sent by Atlassian JIRA (v6.3.4#6332)