GHSA-68J8-FP38-P48Q

Vulnerability from github – Published: 2024-09-19 14:49 – Updated: 2024-09-20 14:52
VLAI?
Summary
Gematik Referenzvalidator has an XXE vulnerability that can lead to a Server Side Request Forgery attack
Details

Impact

The profile location routine in the referencevalidator commons package is vulnerable to XML External Entities attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a Server Side Request Forgery attack.

The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources.

Patches

The problem has been patched with the 2.5.1 version of the referencevalidator. Users are strongly recommended to update to this version or a more recent one.

Workarounds

A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.

References

Severity ?
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
7.8 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "de.gematik.refv.commons:commons"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-46984"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-19T14:49:40Z",
    "nvd_published_at": "2024-09-19T23:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe profile location routine in the referencevalidator commons package is vulnerable to [XML External Entities](https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)) attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a [Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery) attack.\n\nThe vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources. \n\n### Patches\nThe problem has been patched with the [2.5.1 version](https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1) of the referencevalidator. Users are strongly recommended to update to this version or a more recent one. \n\n### Workarounds\nA pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.\n\n### References\n- [OWASP Top 10 XXE](https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#)\n- [Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n- [OWASP XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)",
  "id": "GHSA-68j8-fp38-p48q",
  "modified": "2024-09-20T14:52:32Z",
  "published": "2024-09-19T14:49:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gematik/app-referencevalidator/security/advisories/GHSA-68j8-fp38-p48q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46984"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gematik/app-referencevalidator/commit/d6d27613fab7a8dd08534946f29e0c51f319cad6"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gematik/app-referencevalidator"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gematik Referenzvalidator has an XXE vulnerability that can lead to a Server Side Request Forgery attack"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.