Apache Drill security advisories

Security information for Apache Drill

Reporting

Do you want disclose a potential security issue for Apache Drill? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

XXE Vulnerability in XML Format Reader

CVE-2023-48362 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-24T07:45:42.417Z

Affected

  • Apache Drill from 1.19.0 before 1.21.2

Description

XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file.
Users are recommended to upgrade to version 1.21.2, which fixes this issue.

References

Credits

  • Yuzhe Huang (finder)