[DRILL-8461] Prevent XXE Attacks in XML Format Plugin - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.21.1
Fix Version/s: 1.21.2
Component/s: Format - XML
Labels:
None

Description

Drill's XML reader would allow a maliciously crafted XML file to perform an XML eXternal Entity injection (XXE) attack. This fix disables DTD parsing in the XML format plugin and prevents XXE attacks.

Attachments

Activity

People

Assignee:: Charles Givre

Reporter:: Charles Givre

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 03/Nov/23 14:21

Updated:: 02/Jan/24 07:43

Resolved:: 02/Jan/24 07:43