Description
There appears to be an issue in RestoreZooKeeper in which the tool may, with specially crafted XML, load external files on the system. I'm not going the normal vulnerability route with this because the command is executed by a user on an XML file they provide (so, the vector is that you attacked yourself out of ignorance).
However, it would still be good to remove this as a possibility since it's very simple. This was found by a static analysis tool.
For more info, https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet is a good writeup.
Attachments
Issue Links
- links to