https://bugzilla.redhat.com/show_bug.cgi?id=1796858
Bug ID: 1796858 Summary: CVE-2019-10782 checkstyle: XML External Entity Injection due to an incomplete fix for CVE-2019-9658 Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: dbhole@redhat.com, edewata@redhat.com, extras-orphan@fedoraproject.org, greg.hellings@gmail.com, java-sig-commits@lists.fedoraproject.org, mizdebsk@redhat.com, nsantos@redhat.com, rob.myers@gtri.gatech.edu Target Milestone: --- Classification: Other
All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658.
References:
https://snyk.io/vuln/SNYK-JAVA-COMPUPPYCRAWLTOOLS-543266
https://bugzilla.redhat.com/show_bug.cgi?id=1796858
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1796859
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1796859 [Bug 1796859] CVE-2019-10782 checkstyle: XML External Entity Injection due to an incomplete fix for CVE-2019-9658 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1796858
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created checkstyle tracking bugs for this issue:
Affects: fedora-all [bug 1796859]
https://bugzilla.redhat.com/show_bug.cgi?id=1796858
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |UPSTREAM Last Closed| |2020-01-31 14:09:33
--- Comment #2 from Product Security DevOps Team prodsec-dev@redhat.com --- This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
https://bugzilla.redhat.com/show_bug.cgi?id=1796858
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1860026
https://bugzilla.redhat.com/show_bug.cgi?id=1796858
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks|1860026 |
https://bugzilla.redhat.com/show_bug.cgi?id=1796858
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aileenc@redhat.com, | |chazlett@redhat.com, | |drieden@redhat.com, | |ggaughan@redhat.com, | |gmalinko@redhat.com, | |janstey@redhat.com, | |jochrist@redhat.com, | |jwon@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1796858
--- Comment #4 from Chess Hazlett chazlett@redhat.com --- Statement:
No Red Hat products use the vulnerable code affected by this flaw. However, Red Hat Fuse 7 does provide it in its offline maven repository, and as such is affected at a low impact. This may be resolved in a future release.
https://bugzilla.redhat.com/show_bug.cgi?id=1796858 Bug 1796858 depends on bug 1796859, which changed state.
Bug 1796859 Summary: CVE-2019-10782 checkstyle: XML External Entity Injection due to an incomplete fix for CVE-2019-9658 [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1796859
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org