[MODDATAIMP-319] Dom4j XXE vulnerability (CVE-2020-10683) - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: P1
Resolution: Done
Affects Version/s: 1.10.1
Fix Version/s: 1.10.2
Labels:
- security

Template:
Sprint:
Folijet Sprint 93
Story Points:
0.5
Development Team:
Folijet
Release:
Q2 2020 Hot Fix #1
Epic Link:
Q2 2020 Hotfix Release

Description

Dom4j's SAXReader enables external DTDs and External Entities by default when reading XML files.

This makes mod-data-import vulnerable to XXE attacks: https://en.wikipedia.org/wiki/XML_external_entity_attack

Task:

Upgrade to latest Dom4j and disable external DTDs and External Entities by changing the SAXReader configuration as suggested on
https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#saxreader

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10683

TestRail: Results

Attachments

Issue Links

defines

UXPROD-2551 NFR: Data Import (Batch Importer for Bib Acq) & PubSub Q3 2020 Technical, NFR, & Misc bug work

Closed

has to be done before

MODDATAIMP-320 Release mod-data-import 1.10.2

Closed

Activity

People

Assignee:: Kateryna Senchenko

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 21/Jul/20 9:03 PM

Updated:: 12/Aug/20 6:16 AM

Resolved:: 22/Jul/20 2:45 PM

TestRail: Runs

TestRail: Cases