Uploaded image for project: 'Lucene - Core'
  1. Lucene - Core
  2. LUCENE-8291

Possible security issue when parsing XML documents containing external entity references

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.2.1
    • Fix Version/s: 7.4, 8.0
    • Component/s: modules/queryparser
    • Labels:
      None
    • Lucene Fields:
      New

      Description

      It appears that in QueryTemplateManager.java lines 149 and 198 and in DOMUtils.java line 204 XML is parsed without disabling external entity references (XXE). This is described in http://cwe.mitre.org/data/definitions/611.html and possible mitigations are listed here: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

      All recent versions of lucene are affected.

        Attachments

        1. LUCENE-8291-2.patch
          34 kB
          Uwe Schindler
        2. LUCENE-8291.patch
          22 kB
          Uwe Schindler

          Activity

            People

            • Assignee:
              uschindler Uwe Schindler
              Reporter:
              salyh Hendrik Saly
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: