CVE-2020-11991: Improper Restriction of XML External Entity Reference

September 11, 2020 (updated September 17, 2020)

When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.

References

lists.apache.org/thread.html/r77add973ea521185e1a90aca00ba9dae7caa8d8b944d92421702bb54%40%3Cusers.cocoon.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2020-11991

Detect and mitigate CVE-2020-11991 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →