Uploaded image for project: 'Accumulo'
  1. Accumulo
  2. ACCUMULO-4534

Remove XML external entity issue in RestoreZooKeeper

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.7.3, 1.8.1, 2.0.0
    • None
    • None

    Description

      There appears to be an issue in RestoreZooKeeper in which the tool may, with specially crafted XML, load external files on the system. I'm not going the normal vulnerability route with this because the command is executed by a user on an XML file they provide (so, the vector is that you attacked yourself out of ignorance).

      However, it would still be good to remove this as a possibility since it's very simple. This was found by a static analysis tool.

      For more info, https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet is a good writeup.

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #192

          Activity

            People

              elserj Josh Elser
              elserj Josh Elser
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 10m
                  1h 10m