CVE-2023-48362: XML External Entity Reference (XXE) in the XML Format Plugin in Apache Drill

July 24, 2024 (updated September 10, 2024)

XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue.

References

github.com/advisories/GHSA-v62g-jwj9-rfvx
github.com/apache/drill
github.com/apache/drill/commit/0e88b7a5101d24c561a2a3efb12d7a3b3f7933f3
issues.apache.org/jira/browse/DRILL-8461
lists.apache.org/thread/9tt0q4bdjwgw0dz0l9knqxjnpb5y6zsl
nvd.nist.gov/vuln/detail/CVE-2023-48362

Detect and mitigate CVE-2023-48362 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →