[KARAF-4217] XML External Entity Injection - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Won't Fix
Affects Version/s: 4.0.3
Fix Version/s: None
Component/s: None
Labels:
None

External issue URL:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
External issue ID:
XML External Entity Injection

Description

HP Fortify SCA and SciTools Understand were used to perform an application security analysis on the karaf source code.

XML parser configured in MavenConfigService.java:74 does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack. See external issue URL.

File: bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
Line: 74

MavenConfigService.java, lines 66-76:

66 static String getLocalRepoFromConfig(Dictionary<String, Object> dict) throws XMLStreamException, FileNotFoundException {
67     String path = null;
68     if (dict != null) {
69         path = (String) dict.get("org.ops4j.pax.url.mvn.localRepository");
70         if (path == null) {
71             String settings = (String) dict.get("org.ops4j.pax.url.mvn.settings");
72             if (settings != null) {
73                 File file = new File(settings);
74                 XMLStreamReader reader = XMLInputFactory.newFactory().createXMLStreamReader(new FileInputStream(file));
75                 try {
76                     int event;

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Eduardo Aguinaga

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 15/Dec/15 18:04

Updated:: 27/Jan/17 16:25

Resolved:: 27/Jan/17 16:25