search

FasterXML / woodstox

The gold standard Stax XML API implementation. Now at Github.
Apache License 2.0
225 stars 81 forks source link

Scan Tool reporting Improper Restriction of XML External Entity Reference CWE ID 611 vulnerability flaw (XXE Attack) #169

Closed tarekahf closed 9 months ago

tarekahf commented 1 year ago

I used added jackson-dataformat-xml 2.12.7 to my project, which pulled in woodstox-core 6.2.4. The scan tool reported the above-mentioned XXE Attack. Then, I upgraded to 6.5.0 and still had the same problem.

How I can mitigate or resolve this security flaw?

See the table below for details.

Flaw Id Module Location Exploitability
2294 woodstox-core-6.5.0.jar .../DatatypeLibraryLoader$Service$Loader.java 1 Likely
2295 woodstox-core-6.5.0.jar .../DatatypeLibraryLoader$Service$Loader2.java 1 Likely
2293 woodstox-core-6.5.0.jar com/.../VerifierFactory.java 157 Likely

The other flaw is the "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE ID 470".

Flaw Id Module Location Exploitability
2294 woodstox-core-6.5.0.jar .../DatatypeLibraryLoader$Service$Loader.java 1 Likely
2295 woodstox-core-6.5.0.jar .../DatatypeLibraryLoader$Service$Loader2.java 1 Likely
2293 woodstox-core-6.5.0.jar com/.../VerifierFactory.java 157 Likely

How I can resolve or mitigate the above flaws?

cowtowncoder commented 1 year ago

I don't know. It is up to reporters to sort of explain why there are suspected flaws, and not for authors to try to decipher output of 3rd party (often commercial) tools (for which we may not have access to).

So I am not aware of reported security vulnerabilities: someone would need to dig in and have a look. I do not have time to do this here, without more information.

tarekahf commented 1 year ago

I don't know. It is up to reporters to sort of explain why there are suspected flaws, and not for authors to try to decipher output of 3rd party (often commercial) tools (for which we may not have access to).

So I am not aware of reported security vulnerabilities: someone would need to dig in and have a look. I do not have time to do this here, without more information.

@cowtowncoder I am thinking ... how would a user of my code (the client) take advantage of such XXE attack vulnerabilities present in woodstox (as the tool claimed)? I can't wrap my head around such a scenario. I can understand that the client may take advantage of my code, not the code I depend on. For XXE to occur, the client must submit and XML file, and my code already mitigated such vulnerabilities.

Please let me know your thoughts as I need to verify my understanding to be able to engage in discussions when talking about this issue.

See this for details: https://stackoverflow.com/a/75825877/4180447

cowtowncoder commented 1 year ago

Added my notes in the referring issues. Basically it'd be exfiltration of XML content by using entities in DTD internal subset (or XSL processing, references).