Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0049039
TypeCategorySeverityReproducibilityDate SubmittedLast Update
design defect[Openbravo ERP] A. Platformcriticalalways2022-04-12 12:272022-04-26 14:27
Reporterfermin_ostivarView Statuspublic 
Assigned ToAugustoMauch 
PriorityimmediateResolutionfixedFixed in VersionPR22Q3
StatusclosedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionpiSCM revision 
Merge Request Statusapproved
Review Assigned To
OBNetwork customerGold
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0049039: XML parsers XXE attacks vulnerabilty

DescriptionWe have detected a SaxParser vulnerable to XXE attach in the class TranslationManager

      final SAXParserFactory factory = SAXParserFactory.newInstance();
      final SAXParser parser = factory.newSAXParser();
      parser.parse(in, handler);


https://gitlab.com/openbravo/product/openbravo/-/blob/master/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java#L641 [^]
https://gitlab.com/openbravo/product/openbravo/-/blob/master/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java#L666 [^]
Steps To ReproduceN/A
Proposed SolutionTo create a new get method in the class XMLUtil.java as newSAXReader and to call it in the lines reported previously
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to defect 0040642 closedalostale centralize in XMLUtils creation of objects to deal with XML documents 
depends on backport 0049051PR22Q2 closedAugustoMauch XML parsers XXE attacks vulnerabilty 
depends on backport 0049052PR22Q1.2 closedAugustoMauch XML parsers XXE attacks vulnerabilty 
depends on backport 0049053PR21Q4.5 closedAugustoMauch XML parsers XXE attacks vulnerabilty 

-  Notes
(0136714)
hgbot (developer)
2022-04-25 11:21

 Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/566 [^]
(0136755)
hgbot (developer)
2022-04-26 14:27

 Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/566 [^]
(0136756)
hgbot (developer)
2022-04-26 14:27

 Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: bf9a81bcfcd0e81704c377e350fc33edb850349e
Author: Augusto Mauch <augusto.mauch@openbravo.com>
Date: 26-04-2022 12:27:24
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/bf9a81bcfcd0e81704c377e350fc33edb850349e [^]

Fixes ISSUE-49039: Provides a safe way to create instances of SAXParser

A new method has been created in XMLUtil to create instances of SAXParser that are not vulnerable to XXE attacks

---
M src/org/openbravo/dal/xml/XMLUtil.java
M src/org/openbravo/erpCommon/ad_forms/TranslationManager.java
---

- Issue History
Date Modified Username Field Change
2022-04-12 12:27 fermin_ostivar New Issue
2022-04-12 12:27 fermin_ostivar Assigned To => Triage Platform Base
2022-04-12 12:27 fermin_ostivar OBNetwork customer => Gold
2022-04-12 12:27 fermin_ostivar Modules => Core
2022-04-12 12:27 fermin_ostivar Triggers an Emergency Pack => No
2022-04-12 13:04 alostale Relationship added related to 0040642
2022-04-13 13:23 AugustoMauch Assigned To Triage Platform Base => AugustoMauch
2022-04-13 13:24 AugustoMauch Status new => scheduled
2022-04-25 11:21 hgbot Merge Request Status => open
2022-04-25 11:21 hgbot Note Added: 0136714
2022-04-26 11:48 hgbot Merge Request Status open => approved
2022-04-26 14:27 hgbot Resolution open => fixed
2022-04-26 14:27 hgbot Status scheduled => closed
2022-04-26 14:27 hgbot Note Added: 0136755
2022-04-26 14:27 hgbot Fixed in Version => PR22Q3
2022-04-26 14:27 hgbot Note Added: 0136756

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker