Description

An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18.

Remediation

References

https://lists.apache.org/thread.html/r090321840b44cc91086c4e317bf2baffa270749dde6c1273b6567f7c%40%3Cdev.nutch.apache.org%3E

https://issues.apache.org/jira/browse/NUTCH-2841

https://security.netapp.com/advisory/ntap-20210513-0003/

https://lists.apache.org/thread.html/r7ddfd680aa7ea001ca8da63bb23e3f8caa095a8b4f2261e46bade5c7%40%3Cdev.nutch.apache.org%3E

https://lists.apache.org/thread.html/r5e2f7737b42c73a3325f3c2c8cdee1ec27631b3a0e144104d84d70e6%40%3Cannounce.apache.org%3E

Related Vulnerabilities

CVE-2022-33682 Vulnerability in maven package org.apache.pulsar:pulsar-broker

CVE-2021-37701 Vulnerability in npm package tar

CVE-2020-16037 Vulnerability in npm package electron

CVE-2022-41919 Vulnerability in npm package fastify

CVE-2020-28052 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Mailing List Vendor Advisory Issue Tracking Patch Third Party Advisory