[jira] [Created] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references

Hendrik Saly (JIRA) Wed, 02 May 2018 12:09:15 -0700

Hendrik Saly created LUCENE-8291:
------------------------------------

             Summary: Possible security issue when parsing XML documents 
containing external entity references
                 Key: LUCENE-8291
                 URL: https://issues.apache.org/jira/browse/LUCENE-8291
             Project: Lucene - Core
          Issue Type: Bug
          Components: modules/queryparser
    Affects Versions: 7.2.1
            Reporter: Hendrik Saly



It appears that in QueryTemplateManager.java lines 149 and 198 and in 
DOMUtils.java line 204 XML is parsed without disabling external entity 
references (XXE). This is described in 
[http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are 
listed here: 
[https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet]

[https://www.cvedetails.com/cve/CVE-2014-6517/] is also related.

All recent versions of lucene are affected.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references

Reply via email to