XML External Entity Injection (XXE) Affecting org.apache.hadoop:hadoop-hdfs package, versions [,3.3.2)
Snyk CVSS
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGAPACHEHADOOP-2329722
- published 7 Mar 2022
- disclosed 5 Jan 2022
- credit Ashutosh Gupta
How to fix?
Upgrade org.apache.hadoop:hadoop-hdfs
to version 3.3.2 or higher.
Overview
org.apache.hadoop:hadoop-hdfs is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models.
Affected versions of this package are vulnerable to XML External Entity Injection (XXE) due to insecure parsing of XML files via the OfflineEditsXmlLoader.java
tool.