[xsl] Saxon vulnerability

Subject: [xsl] Saxon vulnerability
From: "Michael Kay michaelkay90@xxxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 7 Mar 2025 20:09:18 -0000

If you are using Saxon to run untrusted XSLT or XQuery code, please note the
security vulnerability in parse-xml() identified by @Martin Honnen  at
https://saxonica.plan.io/issues/6711, and apply the workaround noted in
comment #12.

The effect of the vulnerability is to allow an attacker to execute a malicious
call on parse-xml() that reads filestore on the host machine. The normal JAXP
configuration settings to prevent such access have no effect on this path.

The problem affects all releases of SaxonJ and SaxonC, we have yet to assess
the situation with SaxonCS.

Michael Kay
Saxonica

Current Thread
[xsl] Saxon vulnerability Michael Kay michaelkay90@xxxxxxxxx - 7 Mar 2025 20:09:18 -0000 <= Dimitre Novatchev dnovatchev@xxxxxxxxx - 7 Mar 2025 21:08:19 -0000 Michael Kay michaelkay90@xxxxxxxxx - 7 Mar 2025 21:57:17 -0000 Roger L Costello costello@xxxxxxxxx - 8 Mar 2025 12:55:28 -0000 Martin Honnen martin.honnen@xxxxxx - 8 Mar 2025 13:30:01 -0000

<- Previous	Index	Next ->
Re: [xsl] Re: Over the years, have , Martin Honnen martin	Thread	Re: [xsl] Saxon vulnerability, Dimitre Novatchev dn
Re: [xsl] Over the years, have you , Debbie Lapeyre dalap	Date	Re: [xsl] Saxon vulnerability, Dimitre Novatchev dn
	Month

<-prev [Thread] next->	<-prev [Date] next->
Month Index \| List Home