[
https://issues.apache.org/jira/browse/JAMES-3033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
René Cordier updated JAMES-3033:
--------------------------------
Description:
Due to an incomplete fix for
[CVE-2019-9658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658],
checkstyle is still vulnerable to XML External Entity (XXE) Processing, thus
ending up to this [CWE-611: Improper Restriction of XML External Entity
Reference|https://cwe.mitre.org/data/definitions/611.html]
The issue is not very severe :
* checkstyle is run at compile time, runtime James behavior is not impacted
(thus do not qualify as an Apache CVE)
* However automated CIs may be exposed to malicious pull requests with crafted
XML content leveraging the CVE pre-requisite. Even there, executing the
compilation within a docker container with limited rights might be a good risk
mitigation. Relying on "priviledge mode" or using a writable docker socket
might not.
We might still want to fix it regarding our CI use.
was:
Due to an incomplete fix for
[CVE-2019-9658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658],
checkstyle is still vulnerable to XML External Entity (XXE) Processing, thus
ending up to this [CWE-611: Improper Restriction of XML External Entity
Reference|https://cwe.mitre.org/data/definitions/611.html]
It is not urgent to upgrade though as :
* checkstyle is run at compile time, runtime James behavior is not impacted
(thus do not qualify as an Apache CVE)
* However automated CIs may be exposed to malicious pull requests with crafted
XML content leveraging the CVE pre-requisite. Even there, executing the
compilation within a docker container with limited rights might be a good risk
mitigation. Relying on "priviledge mode" or using a writable docker socket
might not.
> Vulnerability found in dependency com.puppycrawl.tools:checkstyle
> -----------------------------------------------------------------
>
> Key: JAMES-3033
> URL: https://issues.apache.org/jira/browse/JAMES-3033
> Project: James Server
> Issue Type: Improvement
> Reporter: René Cordier
> Priority: Minor
> Labels: security
>
> Due to an incomplete fix for
> [CVE-2019-9658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658],
> checkstyle is still vulnerable to XML External Entity (XXE) Processing, thus
> ending up to this [CWE-611: Improper Restriction of XML External Entity
> Reference|https://cwe.mitre.org/data/definitions/611.html]
> The issue is not very severe :
> * checkstyle is run at compile time, runtime James behavior is not impacted
> (thus do not qualify as an Apache CVE)
> * However automated CIs may be exposed to malicious pull requests with
> crafted XML content leveraging the CVE pre-requisite. Even there, executing
> the compilation within a docker container with limited rights might be a good
> risk mitigation. Relying on "priviledge mode" or using a writable docker
> socket might not.
> We might still want to fix it regarding our CI use.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
