oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-48362: Apache Drill: XXE Vulnerability in XML Format Reader

From: James Turton <dzamo () apache org>
Date: Wed, 24 Jul 2024 04:13:49 +0000
Severity: moderate

Affected versions:

- Apache Drill 1.19.0 before 1.21.2

Description:

XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file 
system or execute commands via a malicious XML file.
Users are recommended to upgrade to version 1.21.2, which fixes this issue.

This issue is being tracked as DRILL-8461 

Credit:

Yuzhe Huang (finder)

References:

https://drill.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-48362
https://issues.apache.org/jira/browse/DRILL-8461
Previous By Date Next
Previous By Thread Next

Current thread: