Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8245

Vulnerable "woodstox-core" is present inside Tika 1.23

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.4.0
    • Component/s: None
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      Short Description:  woodstox-core is a transitive dependency of Apache Tika. Checked the pom inside tika-app-1.23.jar, it seems that it is internally using 5.0.3 version of woodstox-core, which is vulnerable.

      Root Cause : tika-app-1.23.jar; com/ctc/wstx/sax/WstxSAXParserFactory.class : [5.0.1 , 5.3.0]

      Vulnerability: The woodstox-core package is vulnerable to Improper Restriction ofXML eXternal Entity [XXE] Reference. The setFeature and getFeature methods in WstxSAXParserFactory.class rely on the mSecureProcessing boolean value to be able to securely parse input XML. The boolean value, however, is set to false by default. Additionally, the class lacks support for properties XMLConstants.FEATURE_SECURE_PROCESSING and XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, which can make it possible for an attacker to conduct XXE attacks.

      This vulnerability is addressed in the issue https://github.com/FasterXML/woodstox/issues/61 

      Solution of the Vulnerability: Issue https://github.com/FasterXML/woodstox/issues/61 is fixed in version 5.3.0 of woodstox-core. Tika may need to upgrade the version of  this dependency, so consumers are not affected by transitive dependency.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                coheigea Colm O hEigeartaigh
                Reporter:
                abchauha Abhishek Chauhan
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: