db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bryan Pendleton (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-6807) XXE attack possible by using XmlVTI and the XML datatype
Date Sun, 07 Jun 2015 17:15:00 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14576345#comment-14576345
] 

Bryan Pendleton commented on DERBY-6807:
----------------------------------------

Abhinav, I took your test case and put it into a separate test suite by itself and
attached the new test suite to DERBY-6810. Can you have a look at your convenience?

> XXE attack possible by using XmlVTI and the XML datatype
> --------------------------------------------------------
>
>                 Key: DERBY-6807
>                 URL: https://issues.apache.org/jira/browse/DERBY-6807
>             Project: Derby
>          Issue Type: Bug
>    Affects Versions: 10.11.1.1
>            Reporter: Rick Hillegas
>         Attachments: error-stacktrace.out, xmltest.diff
>
>
> The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to expose
sensitive information or launch denial-of-service assaults. This issue has CVE id CVE-2015-1832.
This issue was brought to our attention by Philippe Arteau.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message