Uploaded image for project: 'Lucene - Core'
  1. Lucene - Core
  2. LUCENE-8291

Possible security issue when parsing XML documents containing external entity references

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 7.2.1
    • 7.4, 8.0
    • modules/queryparser
    • None
    • New

    Description

      It appears that in QueryTemplateManager.java lines 149 and 198 and in DOMUtils.java line 204 XML is parsed without disabling external entity references (XXE). This is described in http://cwe.mitre.org/data/definitions/611.html and possible mitigations are listed here: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

      All recent versions of lucene are affected.

      Attachments

        1. LUCENE-8291.patch
          22 kB
          Uwe Schindler
        2. LUCENE-8291-2.patch
          34 kB
          Uwe Schindler

        Activity

          People

            uschindler Uwe Schindler
            salyh Hendrik Saly
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: