Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-WC63-92VQ-35GR

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02
VLAI
Details

In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-11T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.",
  "id": "GHSA-wc63-92vq-35gr",
  "modified": "2022-05-24T19:02:09Z",
  "published": "2022-05-24T19:02:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30006"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com/blog/2021/05/07/jetbrains-security-bulletin-q1-2021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WC97-7623-RXWX

Vulnerability from github – Published: 2022-05-01 00:00 – Updated: 2022-05-18 18:58
VLAI
Summary
Multiple components in Apache NiFi do not restrict XML External Entity references
Details

Apache NiFi is a system to process and distribute data. Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml

Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. NiFi 1.16.1 disables Document Type Declarations in the default configuration for these Processors and disallows XML External Entity resolution in standard services.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.nifi:nifi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.1"
            },
            {
              "fixed": "1.16.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-18T18:58:58Z",
    "nvd_published_at": "2022-04-30T08:15:00Z",
    "severity": "HIGH"
  },
  "details": "Apache NiFi is a system to process and distribute data. Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: \n- EvaluateXPath \n- EvaluateXQuery \n- ValidateXml \n\nApache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. NiFi 1.16.1 disables Document Type Declarations in the default configuration for these Processors and disallows XML External Entity resolution in standard services.",
  "id": "GHSA-wc97-7623-rxwx",
  "modified": "2022-05-18T18:58:58Z",
  "published": "2022-05-01T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29265"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/nifi"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjl"
    },
    {
      "type": "WEB",
      "url": "https://nifi.apache.org/security.html#CVE-2022-29265"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Multiple components in Apache NiFi do not restrict XML External Entity references"
}

GHSA-WC9J-GC65-3CM7

Vulnerability from github – Published: 2023-08-31 21:47 – Updated: 2023-08-31 21:47
VLAI
Summary
DDFFileParser is vulnerable to XXE Attacks
Details

Impact

DDFFileParser and DefaultDDFFileValidator (and so ObjectLoader) are vulnerable to XXE Attacks.

DDF file is a LWM2M format used to store LWM2M object description.
Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory.

Patches

This is fixed in v1.5.0 and 2.0.0-M13.

Workarounds

No easy way. Eventually writing your own DDFFileParser/DefaultDDFFileValidator (and so ObjectLoader) creating a DocumentBuilderFactory with :

// For DDFFileParser
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // Disable DTDs
factory.setXIncludeAware(false); // Disable XML Inclusions
factory.setExpandEntityReferences(false); // disable expand entity reference nodes

// For DefaultDDFFileValidator
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

References

  • https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
  • https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
  • https://semgrep.dev/docs/cheat-sheets/java-xxe/
  • https://community.veracode.com/s/article/Java-Remediation-Guidance-for-XXE
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.leshan:leshan-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.leshan:leshan-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-M1"
            },
            {
              "fixed": "2.0.0-M13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-41034"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-31T21:47:28Z",
    "nvd_published_at": "2023-08-31T18:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n`DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) are vulnerable to [XXE Attacks](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing).\n\n[DDF file](https://github.com/eclipse-leshan/leshan/wiki/Adding-new-objects#the-lwm2m-model) is a LWM2M format used to store LWM2M object description.   \nLeshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version.\nIf you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. \n\n### Patches\nThis is fixed in **v1.5.0** and **2.0.0-M13**.\n\n### Workarounds\nNo easy way. Eventually writing your own `DDFFileParser`/`DefaultDDFFileValidator` (and so `ObjectLoader`) creating a `DocumentBuilderFactory` with : \n```java\n// For DDFFileParser\nDocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\nfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\nfactory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true); // Disable DTDs\nfactory.setXIncludeAware(false); // Disable XML Inclusions\nfactory.setExpandEntityReferences(false); // disable expand entity reference nodes\n\n// For DefaultDDFFileValidator\nSchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);\nfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\nfactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\nfactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\");\n``` \n\n### References\n- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing\n- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html\n- https://semgrep.dev/docs/cheat-sheets/java-xxe/\n- https://community.veracode.com/s/article/Java-Remediation-Guidance-for-XXE",
  "id": "GHSA-wc9j-gc65-3cm7",
  "modified": "2023-08-31T21:47:28Z",
  "published": "2023-08-31T21:47:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-leshan/leshan/security/advisories/GHSA-wc9j-gc65-3cm7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41034"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-leshan/leshan/commit/29577d2879ba8e7674c3b216a7f01193fc7ae013"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eclipse-leshan/leshan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-leshan/leshan/wiki/Adding-new-objects#the-lwm2m-model"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DDFFileParser is vulnerable to XXE Attacks"
}

GHSA-WCM6-QR3C-R573

Vulnerability from github – Published: 2022-11-05 12:00 – Updated: 2022-11-09 12:00
VLAI
Details

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43570"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-04T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error.",
  "id": "GHSA-wcm6-qr3c-r573",
  "modified": "2022-11-09T12:00:24Z",
  "published": "2022-11-05T12:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43570"
    },
    {
      "type": "WEB",
      "url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-1110.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCP5-M52F-MHH5

Vulnerability from github – Published: 2021-05-07 15:54 – Updated: 2022-09-08 14:05
VLAI
Summary
Improper Restriction of XML External Entity Reference in MPXJ
Details

"MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components."

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "net.sf.mpxj:mpxj"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-25020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T19:48:23Z",
    "nvd_published_at": "2020-08-29T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "\"MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components.\"",
  "id": "GHSA-wcp5-m52f-mhh5",
  "modified": "2022-09-08T14:05:32Z",
  "published": "2021-05-07T15:54:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25020"
    },
    {
      "type": "WEB",
      "url": "https://github.com/joniles/mpxj/pull/178/commits/c3e457f7a16facfe563eade82b0fa8736a8c96f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/joniles/mpxj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/joniles/mpxj/releases/tag/v8.1.4"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in MPXJ"
}

GHSA-WCRG-92WP-4H28

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2023-10-27 11:58
VLAI
Summary
XXE vulnerability in Jenkins Nerrvana Plugin
Details

Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Overall/Read permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, XML parsing is exposed as a form validation endpoint that does not require POST requests, allowing exploitation by users without Overall/Read permission via CSRF.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:nerrvana-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.02.06"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-21T18:52:12Z",
    "nvd_published_at": "2020-10-08T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers with Overall/Read permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nAdditionally, XML parsing is exposed as a form validation endpoint that does not require POST requests, allowing exploitation by users without Overall/Read permission via CSRF.",
  "id": "GHSA-wcrg-92wp-4h28",
  "modified": "2023-10-27T11:58:39Z",
  "published": "2022-05-24T17:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2298"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/nerrvana-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2020-10-08/#SECURITY-2097"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/10/08/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins Nerrvana Plugin"
}

GHSA-WF8M-QR47-XC9M

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2023-07-06 21:55
VLAI
Summary
Jenkins AbsInt a³ Plugin XML External Entity Reference vulnerability
Details

Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control Project File (APX) contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:absint-a3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28685"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T21:55:57Z",
    "nvd_published_at": "2023-03-22T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins AbsInt a\u00b3 Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control `Project File (APX)` contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
  "id": "GHSA-wf8m-qr47-xc9m",
  "modified": "2023-07-06T21:55:57Z",
  "published": "2023-07-06T19:24:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28685"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2930"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins AbsInt a\u00b3 Plugin XML External Entity Reference vulnerability"
}

GHSA-WFJ4-9275-FH6P

Vulnerability from github – Published: 2022-05-17 00:18 – Updated: 2022-05-17 00:18
VLAI
Details

TablePress prior to version 1.8.1 allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-10889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-17T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "TablePress prior to version 1.8.1 allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.",
  "id": "GHSA-wfj4-9275-fh6p",
  "modified": "2022-05-17T00:18:38Z",
  "published": "2022-05-17T00:18:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10889"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN05398317/index.html"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/tablepress/#developers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFXP-4QGW-QP3C

Vulnerability from github – Published: 2022-03-18 17:52 – Updated: 2022-03-18 17:52
VLAI
Summary
XML external entity (XXE) attacks in Jenkins Xcode integration Plugin
Details

Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:xcode-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-19T19:20:58Z",
    "nvd_published_at": "2021-05-11T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.",
  "id": "GHSA-wfxp-4qgw-qp3c",
  "modified": "2022-03-18T17:52:43Z",
  "published": "2022-03-18T17:52:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21656"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/xcode-plugin/commit/01335f1f4734e4a7eda69b28e182ecd4c34a1a4b"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2335"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML external entity (XXE) attacks in Jenkins Xcode integration Plugin"
}

GHSA-WG99-5VRX-J2GG

Vulnerability from github – Published: 2023-01-05 12:30 – Updated: 2023-01-11 23:01
VLAI
Summary
bonita-connector-webservice XML External Entity vulnerability
Details

A vulnerability, which was classified as problematic, was found in bonitasoft bonita-connector-webservice up to 1.3.0. This affects the function TransformerConfigurationException of the file src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java. The manipulation leads to xml external entity reference. Upgrading to version 1.3.1 can address this issue. The name of the patch is a12ad691c05af19e9061d7949b6b828ce48815d5. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217443.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bonitasoft.connectors:bonita-connector-webservice"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36640"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-09T20:04:58Z",
    "nvd_published_at": "2023-01-05T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability, which was classified as problematic, was found in bonitasoft bonita-connector-webservice up to 1.3.0. This affects the function `TransformerConfigurationException` of the file `src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java`. The manipulation leads to xml external entity reference. Upgrading to version 1.3.1 can address this issue. The name of the patch is a12ad691c05af19e9061d7949b6b828ce48815d5. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217443.",
  "id": "GHSA-wg99-5vrx-j2gg",
  "modified": "2023-01-11T23:01:28Z",
  "published": "2023-01-05T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36640"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bonitasoft/bonita-connector-webservice/pull/17"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bonitasoft/bonita-connector-webservice/commit/a12ad691c05af19e9061d7949b6b828ce48815d5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bonitasoft/bonita-connector-webservice"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bonitasoft/bonita-connector-webservice/releases/tag/1.3.1"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217443"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217443"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "bonita-connector-webservice XML External Entity vulnerability"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.