[jira] [Comment Edited] (TIKA-3074) Vulnerable "woodstox-core" is present inside Tika 1.23

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Comment Edited] (TIKA-3074) Vulnerable "woodstox-core" is present inside Tika 1.23

Radim Rehurek (Jira)

    [ https://issues.apache.org/jira/browse/TIKA-3074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17061411#comment-17061411 ]

Abhishek Chauhan edited comment on TIKA-3074 at 3/18/20, 7:02 AM:

Thank you [~tallison] for your reply.

I have created an issue at cxf https://issues.apache.org/jira/browse/CXF-8245 and linked this issue with it.

was (Author: abchauha):
Thank you [~tallison] for your reply.

I will open the issue and link it to this issue, would you please share the URL which may allow me to create an issue at cxf.

> Vulnerable "woodstox-core" is present inside Tika 1.23
> ------------------------------------------------------
>                 Key: TIKA-3074
>                 URL: https://issues.apache.org/jira/browse/TIKA-3074
>             Project: Tika
>          Issue Type: Bug
>            Reporter: Abhishek Chauhan
>            Priority: Major
> *Short Description:*  woodstox-core is a transitive dependency of Apache Tika. Checked the pom inside tika-app-1.23.jar, it seems that it is internally using 5.0.3 version of woodstox-core, which is vulnerable.
> *Root Cause :* tika-app-1.23.jar; com/ctc/wstx/sax/WstxSAXParserFactory.class : [5.0.1 , 5.3.0]
> *Vulnerability*: The woodstox-core package is vulnerable to Improper Restriction ofXML eXternal Entity [XXE] Reference. The setFeature and getFeature methods in WstxSAXParserFactory.class rely on the mSecureProcessing boolean value to be able to securely parse input XML. The boolean value, however, is set to false by default. Additionally, the class lacks support for properties XMLConstants.FEATURE_SECURE_PROCESSING and XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, which can make it possible for an attacker to conduct XXE attacks.
> This vulnerability is addressed in the issue [https://github.com/FasterXML/woodstox/issues/61
> *Solution of the Vulnerability*: Issue [https://github.com/FasterXML/woodstox/issues/61] is fixed in version 5.3.0 of woodstox-core. Tika may need to upgrade the version of  this dependency, so consumers are not affected by transitive dependency.

This message was sent by Atlassian Jira