[
https://issues.apache.org/jira/browse/CXF-8245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17062302#comment-17062302
]
Abhishek Chauhan commented on CXF-8245:
---------------------------------------
Thanks [~tallison] .
Hello [~coheigea] ,
May we please reopen this issue as above clarified woodstox-core in as a
dependency from cxf.
> Vulnerable "woodstox-core" is present inside Tika 1.23
> ------------------------------------------------------
>
> Key: CXF-8245
> URL: https://issues.apache.org/jira/browse/CXF-8245
> Project: CXF
> Issue Type: Bug
> Reporter: Abhishek Chauhan
> Priority: Major
>
> *Short Description:* woodstox-core is a transitive dependency of Apache
> Tika. Checked the pom inside tika-app-1.23.jar, it seems that it is
> internally using 5.0.3 version of woodstox-core, which is vulnerable.
> *Root Cause :* tika-app-1.23.jar; com/ctc/wstx/sax/WstxSAXParserFactory.class
> : [5.0.1 , 5.3.0]
> *Vulnerability*: The woodstox-core package is vulnerable to Improper
> Restriction ofXML eXternal Entity [XXE] Reference. The setFeature and
> getFeature methods in WstxSAXParserFactory.class rely on the
> mSecureProcessing boolean value to be able to securely parse input XML. The
> boolean value, however, is set to false by default. Additionally, the class
> lacks support for properties XMLConstants.FEATURE_SECURE_PROCESSING and
> XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, which can make it possible
> for an attacker to conduct XXE attacks.
> This vulnerability is addressed in the issue
> [https://github.com/FasterXML/woodstox/issues/61]
> *Solution of the Vulnerability*: Issue
> [https://github.com/FasterXML/woodstox/issues/61] is fixed in version 5.3.0
> of woodstox-core. Tika may need to upgrade the version of this dependency,
> so consumers are not affected by transitive dependency.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
