|
Subject: Re: [xsl] Saxon vulnerability From: "Dimitre Novatchev dnovatchev@xxxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> Date: Fri, 7 Mar 2025 21:08:19 -0000 |
Is a call to parse-xml being done "behind the scene" by any popular applications that might be using Saxon internally, such as Oxygen and or some XSLT/XPath extensions to VS.Code? If so, we should probably also be cautious to use these, before this vulnerability has been fixed and they confirm that they are no-longer using the affected previous versions of Saxon. Thanks, Dimitre. On Fri, Mar 7, 2025 at 12:09b/PM Michael Kay michaelkay90@xxxxxxxxx < xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> wrote: > If you are using Saxon to run untrusted XSLT or XQuery code, please note > the security vulnerability in parse-xml() identified by @Martin Honnen at > https://saxonica.plan.io/issues/6711, and apply the workaround noted in > comment #12. > > The effect of the vulnerability is to allow an attacker to execute a > malicious call on parse-xml() that reads filestore on the host machine. The > normal JAXP configuration settings to prevent such access have no effect on > this path. > > The problem affects all releases of SaxonJ and SaxonC, we have yet to > assess the situation with SaxonCS. > > Michael Kay > Saxonica
| Current Thread |
|---|
|
| <- Previous | Index | Next -> |
|---|---|---|
| [xsl] Saxon vulnerability, Michael Kay michaelk | Thread | Re: [xsl] Saxon vulnerability, Michael Kay michaelk |
| [xsl] Saxon vulnerability, Michael Kay michaelk | Date | Re: [xsl] Saxon vulnerability, Michael Kay michaelk |
| Month |