[
https://issues.apache.org/jira/browse/HIVE-26681?focusedWorklogId=834063&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-834063
]
ASF GitHub Bot logged work on HIVE-26681:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 16/Dec/22 07:21
Start Date: 16/Dec/22 07:21
Worklog Time Spent: 10m
Work Description: devaspatikrishnatri commented on PR #3716:
URL: https://github.com/apache/hive/pull/3716#issuecomment-1354321521
Hi @cnauroth ,the title is currently misleading(I will change it) , this
patch actually removes dom4j jars from hive as I do not think that they were
used in hive and are having these CVEs:
CVE-2018-1000632 (HIGH severity) - dom4j version prior to version 2.1.1
contains a CWE-91: XML Injection vulnerability in Class: Element. Methods:
addElement, addAttribute that can result in an attacker tampering with XML
documents through XML injection. This attack appear to be exploitable via an
attacker specifying attributes or elements in the XML document. This
vulnerability appears to have been fixed in 2.1.1 or later.
CVE-2020-10683 (CRITICAL severity) - dom4j before 2.0.3 and 2.1.x before
2.1.3 allows external DTDs and External Entities by default, which might enable
XXE attacks. However, there is popular external documentation from OWASP
showing how to enable the safe, non-default behavior in any application that
uses dom4j.
Issue Time Tracking
-------------------
Worklog Id: (was: 834063)
Time Spent: 40m (was: 0.5h)
> Upgrade dom4j: flexible XML framework for Java to safe version due to
> critical CVEs
> -----------------------------------------------------------------------------------
>
> Key: HIVE-26681
> URL: https://issues.apache.org/jira/browse/HIVE-26681
> Project: Hive
> Issue Type: Task
> Reporter: Devaspati Krishnatri
> Assignee: Devaspati Krishnatri
> Priority: Major
> Labels: pull-request-available
> Time Spent: 40m
> Remaining Estimate: 0h
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
