You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by lewis john mcgibbney <le...@apache.org> on 2021/01/25 02:28:15 UTC

[ANNOUNCE] CVE-2021-23901: An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser

Description:

An XML external entity (XXE) injection vulnerability was discovered in
the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML
external entity injection (also known as XXE) is a web security
vulnerability that allows an attacker to interfere with an
application's processing of XML data. It often allows an attacker to
view files on the application server filesystem, and to interact with
any back-end or external systems that the application itself can
access.

Fix:
This issue was tracked, fixed and resolved in
https://issues.apache.org/jira/browse/NUTCH-2841

Actions:
To avoid this vulnerability users consuming Apache Nutch must upgrade
to Nutch 1.18. See the Nutch downloads page for more details
http://nutch.apache.org/downloads.html

Credit:

The Apache Nutch Project Management Committee would like to thank
Martin Heyden for reporting this issue to the Apache Security Team. We
are indebted.

Further support:
Contact the Apache Nutch PMC via our mailing lists
http://nutch.apache.org/mailing_lists.html

-- 
http://home.apache.org/~lewismc/
http://people.apache.org/keys/committer/lewismc