accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-4534) Remove XML external entity issue in RestoreZooKeeper
Date Fri, 09 Dec 2016 05:29:58 GMT


Christopher Tubbs commented on ACCUMULO-4534:

Sure thing. I offered my comments on the PR.

> Remove XML external entity issue in RestoreZooKeeper
> ----------------------------------------------------
>                 Key: ACCUMULO-4534
>                 URL:
>             Project: Accumulo
>          Issue Type: Bug
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 1.7.3, 1.8.1, 2.0.0
>          Time Spent: 20m
>  Remaining Estimate: 0h
> There appears to be an issue in RestoreZooKeeper in which the tool may, with specially
crafted XML, load external files on the system. I'm not going the normal vulnerability route
with this because the command is executed by a user on an XML file they provide (so, the vector
is that you attacked yourself out of ignorance).
> However, it would still be good to remove this as a possibility since it's very simple.
This was found by a static analysis tool.
> For more info,
is a good writeup.

This message was sent by Atlassian JIRA

View raw message