nutch is vulnerable to XML external entity (XXE) attacks. The external DTDs is enabled by default and allows an attacker to perform server-side request forgery attacks, obtain system files and internal resources via a malicious Dmoz document.
CPE | Name | Operator | Version |
---|---|---|---|
apache nutch | le | 2.4 | |
apache nutch | le | 1.17 |
github.com/apache/nutch/pull/563
issues.apache.org/jira/browse/NUTCH-2841
lists.apache.org/thread.html/r090321840b44cc91086c4e317bf2baffa270749dde6c1273b6567f7c%40%3Cdev.nutch.apache.org%3E
lists.apache.org/thread.html/r5e2f7737b42c73a3325f3c2c8cdee1ec27631b3a0e144104d84d70e6@%3Cannounce.apache.org%3E
lists.apache.org/thread.html/r7ddfd680aa7ea001ca8da63bb23e3f8caa095a8b4f2261e46bade5c7@%3Cdev.nutch.apache.org%3E
security.netapp.com/advisory/ntap-20210513-0003/