TinyXML very outdated #2539
-
aws-sdk-cpp contains a very old version of TinyXML (probably 6.0? The version claims 6.1 but there is no official 6.1 release of TinyXML). The security scan in our own C++ project complains that TinyXML 6.0 has a heap-overflow vulnerability with malformed XML that can be used for a denial of service attack (i.e. it will crash the SDK). I personally do not think that this can be exploited easily as the SDK communicates with servers under the control of AWS - an attacker would have to somehow hijack this connection to explit the issue. It does seem to me that updating TinyXML to the latest (fixed) version would be best practice, though. Is something like that planned? Shall I create an issue? If yes, under which category? I decided against reporting this as as vulnerability as I am not even 100% sure that this is an actual issue. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
Hello @Kharos , Thank you very much for bringing this up to our attention. Yes you are right the SDK is currently using TinyXML2 6.1 (https://github.com/aws/aws-sdk-cpp/blob/0175cb2dd1dfdae3fd5f49a984db03802786746d/s[…]/aws-cpp-sdk-core/include/aws/core/external/tinyxml2/tinyxml2.h , commit setting v6.1: 95665de from 2018). The team is aware of this and part of #1888 would be to properly pull TinyXML2 to make sure it is up to date. There doesn't seem to be any vulnerability reported: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=TinyXML2 I do however agree with you that upgrading to the latest version would be best practice and will bring this up for discussion with the team. Thank you very much for your collaboration. Best, Yasmine |
Beta Was this translation helpful? Give feedback.
-
Hello! Reopening this discussion to make it searchable. |
Beta Was this translation helpful? Give feedback.
Hello @Kharos ,
Thank you very much for bringing this up to our attention. Yes you are right the SDK is currently using TinyXML2 6.1 (https://github.com/aws/aws-sdk-cpp/blob/0175cb2dd1dfdae3fd5f49a984db03802786746d/s[…]/aws-cpp-sdk-core/include/aws/core/external/tinyxml2/tinyxml2.h , commit setting v6.1: 95665de from 2018). The team is aware of this and part of #1888 would be to properly pull TinyXML2 to make sure it is up to date.
There doesn't seem to be any vulnerability reported: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=TinyXML2
I do however agree with you that upgrading to the latest version would be best practice and will bring this up for discussion with the team.
Thank you…