XML Injection
Bug #1657139 reported by
Shaik Apsar
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack DBaaS (Trove) |
New
|
Wishlist
|
Unassigned | ||
| OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
The xml.dom.minidom module is not secure against maliciously constructed data. If you need to parse untrusted or unauthenticated data see XML vulnerabilities.
Trove code base is using xml.dom.minidom.
Writing unvalidated data into an XML document can allow an attacker to change the structure and contents of the XML.
Revision history for this message
| Jeremy Stanley (fungi) wrote | #1 |
| Changed in ossa: | |
| status: | New → Incomplete |
| description: | updated |
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote | #2 |
Revision history for this message
| Amrith Kumar (amrith) wrote | #3 |
Revision history for this message
| Amrith Kumar (amrith) wrote | #4 |
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote | #5 |
Revision history for this message
| Amrith Kumar (amrith) wrote | #6 |
| description: | updated |
| information type: | Private Security → Public |
| tags: | added: security |
| Changed in ossa: | |
| status: | Incomplete → Won't Fix |
| Changed in trove: | |
| importance: | Undecided → Wishlist |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.