CVE-2019-10172
XML External Entity (XXE) vulnerability in jackson-mapper-asl (Maven)
What is CVE-2019-10172 About?
A flaw exists in `org.codehaus.jackson:jackson-mapper-asl:1.9.x` libraries, specifically affecting new classes with XML external entity (XXE) vulnerabilities similar to CVE-2016-3720. This allows attackers to perform XXE attacks, which can lead to information disclosure, denial of service, or server-side request forgery. Exploitation requires the application to process untrusted XML input using the vulnerable library.
Affected Software
Technical Details
The vulnerability is an XML External Entity (XXE) flaw present in codehaus jackson-mapper-asl libraries version 1.9.x, analogous to previously identified XXE vulnerabilities like CVE-2016-3720. When the affected library parses XML input, it does not properly disable external entity resolution. An attacker can craft a malicious XML document containing an DOCTYPE declaration that refers to external entities. When this XML is parsed, the library will attempt to resolve and include the content of these external entities, which can point to local files (e.g., /etc/passwd), internal network resources, or even arbitrary URLs. This can lead to sensitive information disclosure, denial of service (via resource exhaustion), or Server-Side Request Forgery (SSRF).
What is the Impact of CVE-2019-10172?
Successful exploitation may allow attackers to disclose sensitive information from the server, perform denial of service, or execute server-side request forgery attacks.
What is the Exploitability of CVE-2019-10172?
Exploitation requires the attacker to be able to submit specially crafted XML input to the application, which is then parsed by the vulnerable jackson-mapper-asl library. The complexity is medium, as crafting effective XXE payloads can sometimes require knowledge of the target system's file paths or internal network structure. Authentication may or may not be required, depending on if the XML input processing endpoint is accessible before authentication. Privilege requirements are generally low. This is a remote vulnerability, as it typically involves sending malicious XML over the network. The most significant risk factor is an application that accepts and parses untrusted XML input without proper XXE mitigations (e.g., disabling DTDs or external entity resolution).
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| rusakovichma | Link | CVE-2019-10172 PoC and Possible mitigations |
What are the Available Fixes for CVE-2019-10172?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E
- https://osv.dev/vulnerability/GHSA-r6j9-8759-g62w
- https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe%40%3Cuser.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83@%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83%40%3Ccommon-issues.hadoop.apache.org%3E
What are Similar Vulnerabilities to CVE-2019-10172?
Similar Vulnerabilities: CVE-2016-3720 , CVE-2018-1259 , CVE-2019-10171 , CVE-2020-1938 , CVE-2019-1300
