[
https://issues.apache.org/jira/browse/CXF-8245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17061972#comment-17061972
]
Tim Allison commented on CXF-8245:
----------------------------------
IIUC, we bring woodstox-core in as a dependency from cxf. I asked [~abchauha]
to push this upstream.
{noformat}
[INFO] | +- org.apache.cxf:cxf-core:jar:3.3.5:compile
[INFO] | | +- com.fasterxml.woodstox:woodstox-core:jar:5.0.3:compile
{noformat}
> Vulnerable "woodstox-core" is present inside Tika 1.23
> ------------------------------------------------------
>
> Key: CXF-8245
> URL: https://issues.apache.org/jira/browse/CXF-8245
> Project: CXF
> Issue Type: Bug
> Reporter: Abhishek Chauhan
> Priority: Major
>
> *Short Description:* woodstox-core is a transitive dependency of Apache
> Tika. Checked the pom inside tika-app-1.23.jar, it seems that it is
> internally using 5.0.3 version of woodstox-core, which is vulnerable.
> *Root Cause :* tika-app-1.23.jar; com/ctc/wstx/sax/WstxSAXParserFactory.class
> : [5.0.1 , 5.3.0]
> *Vulnerability*: The woodstox-core package is vulnerable to Improper
> Restriction ofXML eXternal Entity [XXE] Reference. The setFeature and
> getFeature methods in WstxSAXParserFactory.class rely on the
> mSecureProcessing boolean value to be able to securely parse input XML. The
> boolean value, however, is set to false by default. Additionally, the class
> lacks support for properties XMLConstants.FEATURE_SECURE_PROCESSING and
> XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, which can make it possible
> for an attacker to conduct XXE attacks.
> This vulnerability is addressed in the issue
> [https://github.com/FasterXML/woodstox/issues/61]
> *Solution of the Vulnerability*: Issue
> [https://github.com/FasterXML/woodstox/issues/61] is fixed in version 5.3.0
> of woodstox-core. Tika may need to upgrade the version of this dependency,
> so consumers are not affected by transitive dependency.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
