Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0049039 | Openbravo ERP | A. Platform | public | 2022-04-12 12:27 | 2022-04-26 14:27 |
|
| Reporter | fermin_ostivar | |
| Assigned To | AugustoMauch | |
| Priority | immediate | Severity | critical | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | pi | |
| Target Version | | Fixed in Version | PR22Q3 | |
| Merge Request Status | approved |
| Review Assigned To | |
| OBNetwork customer | Gold |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0049039: XML parsers XXE attacks vulnerabilty |
| Description | We have detected a SaxParser vulnerable to XXE attach in the class TranslationManager
final SAXParserFactory factory = SAXParserFactory.newInstance();
final SAXParser parser = factory.newSAXParser();
parser.parse(in, handler);
https://gitlab.com/openbravo/product/openbravo/-/blob/master/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java#L641 [^]
https://gitlab.com/openbravo/product/openbravo/-/blob/master/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java#L666 [^]
|
| Steps To Reproduce | N/A |
| Proposed Solution | To create a new get method in the class XMLUtil.java as newSAXReader and to call it in the lines reported previously |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | defect | 0040642 | | closed | alostale | centralize in XMLUtils creation of objects to deal with XML documents | | depends on | backport | 0049051 | PR22Q2 | closed | AugustoMauch | XML parsers XXE attacks vulnerabilty | | depends on | backport | 0049052 | PR22Q1.2 | closed | AugustoMauch | XML parsers XXE attacks vulnerabilty | | depends on | backport | 0049053 | PR21Q4.5 | closed | AugustoMauch | XML parsers XXE attacks vulnerabilty |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2022-04-12 12:27 | fermin_ostivar | New Issue | |
| 2022-04-12 12:27 | fermin_ostivar | Assigned To | => Triage Platform Base |
| 2022-04-12 12:27 | fermin_ostivar | OBNetwork customer | => Gold |
| 2022-04-12 12:27 | fermin_ostivar | Modules | => Core |
| 2022-04-12 12:27 | fermin_ostivar | Triggers an Emergency Pack | => No |
| 2022-04-12 13:04 | alostale | Relationship added | related to 0040642 |
| 2022-04-13 13:23 | AugustoMauch | Assigned To | Triage Platform Base => AugustoMauch |
| 2022-04-13 13:24 | AugustoMauch | Status | new => scheduled |
| 2022-04-25 11:21 | hgbot | Merge Request Status | => open |
| 2022-04-25 11:21 | hgbot | Note Added: 0136714 | |
| 2022-04-26 11:48 | hgbot | Merge Request Status | open => approved |
| 2022-04-26 14:27 | hgbot | Resolution | open => fixed |
| 2022-04-26 14:27 | hgbot | Status | scheduled => closed |
| 2022-04-26 14:27 | hgbot | Note Added: 0136755 | |
| 2022-04-26 14:27 | hgbot | Fixed in Version | => PR22Q3 |
| 2022-04-26 14:27 | hgbot | Note Added: 0136756 | |