Scan Tool reporting Improper Restriction of XML External Entity Reference CWE ID 611 vulnerability flaw (XXE Attack)
tarekahf opened this issue · 3 comments
I used added jackson-dataformat-xml 2.12.7 to my project, which pulled in woodstox-core 6.2.4. The scan tool reported the above-mentioned XXE Attack. Then, I upgraded to 6.5.0 and still had the same problem.
How I can mitigate or resolve this security flaw?
See the table below for details.
| Flaw Id | Module | Location | Exploitability |
|---|---|---|---|
| 2294 | woodstox-core-6.5.0.jar | .../DatatypeLibraryLoader$Service$Loader.java 1 | Likely |
| 2295 | woodstox-core-6.5.0.jar | .../DatatypeLibraryLoader$Service$Loader2.java 1 | Likely |
| 2293 | woodstox-core-6.5.0.jar | com/.../VerifierFactory.java 157 | Likely |
The other flaw is the "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE ID 470".
| Flaw Id | Module | Location | Exploitability |
|---|---|---|---|
| 2294 | woodstox-core-6.5.0.jar | .../DatatypeLibraryLoader$Service$Loader.java 1 | Likely |
| 2295 | woodstox-core-6.5.0.jar | .../DatatypeLibraryLoader$Service$Loader2.java 1 | Likely |
| 2293 | woodstox-core-6.5.0.jar | com/.../VerifierFactory.java 157 | Likely |
How I can resolve or mitigate the above flaws?
I don't know. It is up to reporters to sort of explain why there are suspected flaws, and not for authors to try to decipher output of 3rd party (often commercial) tools (for which we may not have access to).
So I am not aware of reported security vulnerabilities: someone would need to dig in and have a look. I do not have time to do this here, without more information.
I don't know. It is up to reporters to sort of explain why there are suspected flaws, and not for authors to try to decipher output of 3rd party (often commercial) tools (for which we may not have access to).
So I am not aware of reported security vulnerabilities: someone would need to dig in and have a look. I do not have time to do this here, without more information.
@cowtowncoder
I am thinking ... how would a user of my code (the client) take advantage of such XXE attack vulnerabilities present in woodstox (as the tool claimed)? I can't wrap my head around such a scenario. I can understand that the client may take advantage of my code, not the code I depend on. For XXE to occur, the client must submit and XML file, and my code already mitigated such vulnerabilities.
Please let me know your thoughts as I need to verify my understanding to be able to engage in discussions when talking about this issue.
See this for details: https://stackoverflow.com/a/75825877/4180447
Added my notes in the referring issues. Basically it'd be exfiltration of XML content by using entities in DTD internal subset (or XSL processing, references).