CVE-2023-48362 — XML External Entity (XXE) Injection in Software Foundation Apache Drill

CWE-611 — XML External Entity (XXE) Injection4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 51.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Drill Apache Drill

Timeline

PublishedJul 24

Description

XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/drill1.9.0 — 1.21.2

▶CVEListV5apache_software_foundation/apache_drill1.19.0 — 1.21.2

🔴Vulnerability Details

CVEList

Apache Drill: XXE Vulnerability in XML Format Reader↗2024-07-24

▶

GHSA

XML External Entity Reference (XXE) in the XML Format Plugin in Apache Drill↗2024-07-24

▶

OSV

XML External Entity Reference (XXE) in the XML Format Plugin in Apache Drill↗2024-07-24

▶