-
-
Notifications
You must be signed in to change notification settings - Fork 292
Adding SecureDocumentBuilderFactory & SecureXPATHFactory to prevent X… #539
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
…XE( XML External Entity) attack
|
Great contribution, thanks! I wasn't even aware of this vulnerability, even though I'm very familiar with the OWASP guidelines for the Web. It seems like the JDK team should make this the default! |
|
Released in 4.8.112. Thanks again! |
|
Thanks Luke for the prompt action in merging and releasing this pull
request 😊
On Sun, 8 Aug 2021 at 7:29 AM, Luke Hutchison ***@***.***> wrote:
Released in 4.8.112. Thanks again!
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#539 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABB7MLFYYI4D4FQ3TDQFFCDT3XQHNANCNFSM5BTLUFCA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email>
.
--
regards,
Kshitiz
|
|
You're welcome... I'm curious how you even spotted this vulnerability. It's in an obscure piece of code that tries to determine the ClassGraph version by reading |
|
Just a heads up this has been assigned CVE-2021-47621. |
Are you sure you have that right? That CVE is for the Guest Entries PHP library -- it doesn't even apply to the Java ecosystem. FYI the vulnerability in the original bug report had a very low likelihood of causing a problem (you'd have to have access to the build system to execute this vulnerability, and if you had that access, you could do a lot more malicious stuff than this. |
|
The CVE is correct https://nvd.nist.gov/vuln/detail/CVE-2021-47621 |
|
@thc202 Oh, Google Search's top result when searching for that number was the wrong result, it was 2023-47621. So let's consider the impact of this vulnerability in some detail, since it is still coming up 3 years later:
Please correct me if I'm wrong, but I see this as a non-issue. |
Adding SecureDocumentBuilderFactory & SecureXPATHFactory to prevent XXE( XML External Entity) attack