Hendrik Saly created LUCENE-8291: ------------------------------------ Summary: Possible security issue when parsing XML documents containing external entity references Key: LUCENE-8291 URL: https://issues.apache.org/jira/browse/LUCENE-8291 Project: Lucene - Core Issue Type: Bug Components: modules/queryparser Affects Versions: 7.2.1 Reporter: Hendrik Saly
It appears that in QueryTemplateManager.java lines 149 and 198 and in DOMUtils.java line 204 XML is parsed without disabling external entity references (XXE). This is described in [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are listed here: [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] [https://www.cvedetails.com/cve/CVE-2014-6517/] is also related. All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org