It was discovered (${URL}) that the Castor library's unmarshalling class is susceptible to XML External Entity (XXE) attacks. If the XML that is being passed to the unmarshalling function is controllable by an end user, there is the potential that they could retrieve local resources, download malicious code from other servers, and/or open arbitrary TCP connections. =========================================================== Recommendation =========================================================== Upgrade to Castor version 1.3.3 which now disables external entities by default. Alternatively, the manual fix for this issue is actually very simple. The main Castor configuration file (castor.properties) can be used to specify which XML features should be enable/disabled. In order to prevent the parser from reading external entities , the external-general-entities and the external-parameter-entities should be disable. Additionally, the disallow-doctype-decl option should be turned on. The following is what the entry in the caster.properties file should look like:
CVE-2014-3004 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3004): The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.
This package has been masked for removal. See bug 268619. We will close this bug after the removal.
GLSA Vote: No
Vote: NO.