[jira] [Updated] (JAMES-3033) Vulnerability found in dependency com.puppycrawl.tools:checkstyle

Sun, 02 Feb 2020 23:45:24 -0800 


     [ 
https://issues.apache.org/jira/browse/JAMES-3033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

René Cordier updated JAMES-3033:
--------------------------------
    Description: 
Due to an incomplete fix for 
[CVE-2019-9658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658], 
checkstyle is still vulnerable to XML External Entity (XXE) Processing, thus 
ending up to this [CWE-611: Improper Restriction of XML External Entity 
Reference|https://cwe.mitre.org/data/definitions/611.html]

It is not urgent to upgrade though as :
* checkstyle is run at compile time, runtime James behavior is not impacted 
(thus do not qualify as an Apache CVE) 
* However automated CIs may be exposed to malicious pull requests with crafted 
XML content leveraging the CVE pre-requisite. Even there, executing the 
compilation within a docker container with limited rights might be a good risk 
mitigation. Relying on "priviledge mode" or using a writable docker socket 
might not.


  was:
Due to an incomplete fix for 
[CVE-2019-9658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658], 
checkstyle is still vulnerable to XML External Entity (XXE) Processing, thus 
ending up to this [CWE-611: Improper Restriction of XML External Entity 
Reference|https://cwe.mitre.org/data/definitions/611.html]

It is not urgent to upgrade though


> Vulnerability found in dependency com.puppycrawl.tools:checkstyle
> -----------------------------------------------------------------
>
>                 Key: JAMES-3033
>                 URL: https://issues.apache.org/jira/browse/JAMES-3033
>             Project: James Server
>          Issue Type: Improvement
>            Reporter: René Cordier
>            Priority: Minor
>              Labels: security
>
> Due to an incomplete fix for 
> [CVE-2019-9658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658], 
> checkstyle is still vulnerable to XML External Entity (XXE) Processing, thus 
> ending up to this [CWE-611: Improper Restriction of XML External Entity 
> Reference|https://cwe.mitre.org/data/definitions/611.html]
> It is not urgent to upgrade though as :
> * checkstyle is run at compile time, runtime James behavior is not impacted 
> (thus do not qualify as an Apache CVE) 
> * However automated CIs may be exposed to malicious pull requests with 
> crafted XML content leveraging the CVE pre-requisite. Even there, executing 
> the compilation within a docker container with limited rights might be a good 
> risk mitigation. Relying on "priviledge mode" or using a writable docker 
> socket might not.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to