You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Adrien Grand (JIRA)" <ji...@apache.org> on 2018/06/27 08:39:00 UTC
[jira] [Resolved] (LUCENE-8291) Possible security issue when
parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Adrien Grand resolved LUCENE-8291.
----------------------------------
Resolution: Fixed
Fix Version/s: (was: 7.5)
7.4
> Possible security issue when parsing XML documents containing external entity references
> ----------------------------------------------------------------------------------------
>
> Key: LUCENE-8291
> URL: https://issues.apache.org/jira/browse/LUCENE-8291
> Project: Lucene - Core
> Issue Type: Bug
> Components: modules/queryparser
> Affects Versions: 7.2.1
> Reporter: Hendrik Saly
> Assignee: Uwe Schindler
> Priority: Major
> Fix For: master (8.0), 7.4
>
> Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch
>
>
> It appears that in QueryTemplateManager.java lines 149 and 198 and in DOMUtils.java line 204 XML is parsed without disabling external entity references (XXE). This is described in [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are listed here: [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet]
> All recent versions of lucene are affected.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org