[LUCENE-8291] Possible security issue when parsing XML documents containing external entity references - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 7.2.1
Fix Version/s: 7.4, 8.0
Component/s: modules/queryparser
Labels:
None

Lucene Fields:

New

Description

It appears that in QueryTemplateManager.java lines 149 and 198 and in DOMUtils.java line 204 XML is parsed without disabling external entity references (XXE). This is described in http://cwe.mitre.org/data/definitions/611.html and possible mitigations are listed here: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

All recent versions of lucene are affected.

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

LUCENE-8291-2.patch
16/May/18 07:22
34 kB
Uwe Schindler
LUCENE-8291.patch
06/May/18 12:31
22 kB
Uwe Schindler

Activity

People

Assignee:: Uwe Schindler

Reporter:: Hendrik Saly

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 02/May/18 19:08

Updated:: 28/Aug/22 15:29

Resolved:: 27/Jun/18 08:38