Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0049039 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| design defect | [Openbravo ERP] A. Platform | critical | always | 2022-04-12 12:27 | 2022-04-26 14:27 | |||
| Reporter | fermin_ostivar | View Status | public | |||||
| Assigned To | AugustoMauch | |||||||
| Priority | immediate | Resolution | fixed | Fixed in Version | PR22Q3 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | |||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | pi | SCM revision | ||||||
| Review Assigned To | ||||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0049039: XML parsers XXE attacks vulnerabilty | |||||||
| Description | We have detected a SaxParser vulnerable to XXE attach in the class TranslationManager final SAXParserFactory factory = SAXParserFactory.newInstance(); final SAXParser parser = factory.newSAXParser(); parser.parse(in, handler); https://gitlab.com/openbravo/product/openbravo/-/blob/master/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java#L641 [^] https://gitlab.com/openbravo/product/openbravo/-/blob/master/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java#L666 [^] | |||||||
| Steps To Reproduce | N/A | |||||||
| Proposed Solution | To create a new get method in the class XMLUtil.java as newSAXReader and to call it in the lines reported previously | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
 Relationships |
|
Notes |
|
|
(0136714) hgbot (developer) 2022-04-25 11:21 |
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/566 [^] |
|
(0136755) hgbot (developer) 2022-04-26 14:27 |
Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/566 [^] |
|
(0136756) hgbot (developer) 2022-04-26 14:27 |
Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/openbravo/product/openbravo [^] Changeset: bf9a81bcfcd0e81704c377e350fc33edb850349e Author: Augusto Mauch <augusto.mauch@openbravo.com> Date: 26-04-2022 12:27:24 URL: https://gitlab.com/openbravo/product/openbravo/-/commit/bf9a81bcfcd0e81704c377e350fc33edb850349e [^] Fixes ISSUE-49039: Provides a safe way to create instances of SAXParser A new method has been created in XMLUtil to create instances of SAXParser that are not vulnerable to XXE attacks --- M src/org/openbravo/dal/xml/XMLUtil.java M src/org/openbravo/erpCommon/ad_forms/TranslationManager.java --- |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2022-04-12 12:27 | fermin_ostivar | New Issue | |
| 2022-04-12 12:27 | fermin_ostivar | Assigned To | => Triage Platform Base |
| 2022-04-12 12:27 | fermin_ostivar | Modules | => Core |
| 2022-04-12 12:27 | fermin_ostivar | Triggers an Emergency Pack | => No |
| 2022-04-12 13:04 | alostale | Relationship added | related to 0040642 |
| 2022-04-13 13:23 | AugustoMauch | Assigned To | Triage Platform Base => AugustoMauch |
| 2022-04-13 13:24 | AugustoMauch | Status | new => scheduled |
| 2022-04-25 11:21 | hgbot | Note Added: 0136714 | |
| 2022-04-26 14:27 | hgbot | Resolution | open => fixed |
| 2022-04-26 14:27 | hgbot | Status | scheduled => closed |
| 2022-04-26 14:27 | hgbot | Note Added: 0136755 | |
| 2022-04-26 14:27 | hgbot | Fixed in Version | => PR22Q3 |
| 2022-04-26 14:27 | hgbot | Note Added: 0136756 | |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |