You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Cédric Damioli <cd...@apache.org> on 2020/09/11 09:39:23 UTC
[CVE-2020-11991] Apache Cocoon security vulnerability
[CVE-2020-11991] Apache Cocoon security vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Cocoon up to 2.1.12
Description: When using the StreamGenerator, the code parse a
user-provided XML.
A specially crafted XML, including external system entities, could be
used to access any file on the server system.
Mitigation:
The StreamGenerator now ignores external entities. 2.1.x users should
upgrade to 2.1.13
Example:
With the following input :
<!--?xml version="1.0" ?--> <!DOCTYPE replace [<!ENTITY ent SYSTEM
"file:///etc/shadow"> ]> <userInfo> <firstName>John</firstName>
<lastName>&ent;</lastName> </userInfo> an attacker got the content of
/etc/shadow
Credit: This issue was discovered by Nassim Asrir.
Regards,
--
Cédric Damioli
Re: [CVE-2020-11991] Apache Cocoon security vulnerability
Posted by Cédric Damioli <cd...@apache.org>.
Hi,
Entities resolution is managed by features of the SAX Parser, before any
transformation.
Cédric
Le 11/09/2020 à 12:12, gelo1234 a écrit :
>
> Hello Cedric,
>
> Are external entities blocked also in XSLT?
>
> Greetings,
> Greg
>
> pt., 11 wrz 2020 o 11:39 Cédric Damioli <cdamioli@apache.org
> <ma...@apache.org>> napisał(a):
>
> [CVE-2020-11991] Apache Cocoon security vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: Apache Cocoon up to 2.1.12
>
> Description: When using the StreamGenerator, the code parse a
> user-provided XML.
>
> A specially crafted XML, including external system entities, could
> be used to access any file on the server system.
>
> Mitigation:
>
> The StreamGenerator now ignores external entities. 2.1.x users
> should upgrade to 2.1.13
>
> Example:
>
> With the following input :
>
> <!--?xml version="1.0" ?--> <!DOCTYPE replace [<!ENTITY ent SYSTEM
> "file:///etc/shadow"> ]> <userInfo> <firstName>John</firstName>
> <lastName>&ent;</lastName> </userInfo> an attacker got the content
> of /etc/shadow
>
> Credit: This issue was discovered by Nassim Asrir.
>
>
> Regards,
>
> --
> Cédric Damioli
>
--
Cédric Damioli
CMS - Java - Open Source
www.ametys.org
Re: [CVE-2020-11991] Apache Cocoon security vulnerability
Posted by gelo1234 <ge...@gmail.com>.
Hello Cedric,
Are external entities blocked also in XSLT?
Greetings,
Greg
pt., 11 wrz 2020 o 11:39 Cédric Damioli <cd...@apache.org> napisał(a):
> [CVE-2020-11991] Apache Cocoon security vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: Apache Cocoon up to 2.1.12
>
> Description: When using the StreamGenerator, the code parse a
> user-provided XML.
>
> A specially crafted XML, including external system entities, could be used
> to access any file on the server system.
>
> Mitigation:
>
> The StreamGenerator now ignores external entities. 2.1.x users should
> upgrade to 2.1.13
>
> Example:
>
> With the following input :
>
> <!--?xml version="1.0" ?--> <!DOCTYPE replace [<!ENTITY ent SYSTEM
> "file:///etc/shadow"> ]> <userInfo> <firstName>John</firstName>
> <lastName>&ent;</lastName> </userInfo> an attacker got the content of
> /etc/shadow
>
> Credit: This issue was discovered by Nassim Asrir.
>
> Regards,
>
> --
> Cédric Damioli
>
>