I forgot - here's the link to the actual issue in Quartz: https://github.com/quartz-scheduler/quartz/issues/467. The XML parser isn't well configured, which leaves it potentially vulnerable to XXE attacks from malicious XML input.
Jon On Fri, Aug 30, 2019 at 3:38 PM Jonathan Gallimore < jonathan.gallim...@gmail.com> wrote: > Hi all, > > There's a potential XXE in the quartz package that we shade and use. The > quartz package itself doesn't appear to be maintained any more, so I have > forked and pushed binaries with a fix to staging repos at oss.sonatype.org > . > > I intend to update our quartz shade code here: > https://svn.apache.org/repos/asf/tomee/deps/trunk/quartz-openejb-shade/ to > use my patched version of quartz. > > It unlikely that TomEE as it is is affected by this as we're not driving > Quartz by passing XML to it, but I think it makes sense to use a patched > version to mitigate this in case users are calling this code directly in > their applications. > > Are there any objections? > > Thanks > > Jon >
