Опубликовано: 24 июл. 2024
Источник: github
Github: Прошло ревью
CVSS4: 8.7
CVSS3: 8.8
Описание
XML External Entity Reference (XXE) in the XML Format Plugin in Apache Drill
XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-48362
- https://github.com/apache/drill/commit/0e88b7a5101d24c561a2a3efb12d7a3b3f7933f3
- https://github.com/apache/drill
- https://issues.apache.org/jira/browse/DRILL-8461
- https://lists.apache.org/thread/9tt0q4bdjwgw0dz0l9knqxjnpb5y6zsl
- http://www.openwall.com/lists/oss-security/2024/07/24/3
Пакеты
Наименование
org.apache.drill.exec:drill-java-exec
maven
Затронутые версииВерсия исправления
>= 1.19.0, < 1.21.2
1.21.2
Связанные уязвимости
CVSS3: 8.8
nvd
больше 1 года назад
XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue.