CVE-2020-13692
XXE vulnerability in postgresql (Maven)
What is CVE-2020-13692 About?
The PostgreSQL JDBC Driver (PgJDBC) before 42.2.13 is vulnerable to XML External Entity (XXE) attacks. This allows an attacker to potentially read local files or trigger remote requests, leading to information disclosure or SSRF. Exploiting this typically involves sending crafted XML input, which can be relatively easy.
Affected Software
Technical Details
The vulnerability resides in the PostgreSQL JDBC Driver (PgJDBC) prior to version 42.2.13, specifically due to its susceptibility to XML External Entity (XXE) attacks. This occurs because the XML parser used by PgJDBC, when processing certain XML-based data (e.g., within specific data types or features), does not adequately disable the processing of external entities. An attacker can supply specially crafted XML input containing external entity declarations. When this XML is parsed by the vulnerable driver, it can be forced to retrieve content from arbitrary local files (e.g., /etc/passwd) or initiate network requests to arbitrary external URLs, potentially leading to sensitive information disclosure or Server-Side Request Forgery (SSRF) attacks targeting internal network resources.
What is the Impact of CVE-2020-13692?
Successful exploitation may allow attackers to read arbitrary local files, perform Server-Side Request Forgery (SSRF), or trigger denial-of-service conditions through resource exhaustion.
What is the Exploitability of CVE-2020-13692?
Exploiting this XXE vulnerability generally has a low to moderate complexity. The primary prerequisite is that the application uses a vulnerable version of the PostgreSQL JDBC Driver and processes XML data derived from untrusted input. Authentication requirements depend on the specific application's design; if the input containing the malicious XML can be submitted without authentication, then the attack can be unauthenticated. No specific privilege requirements are mentioned beyond the ability to interact with the application. This is typically a remote attack, where the attacker sends crafted XML data. Special conditions include the application's use of XML parsing features within the JDBC driver that are susceptible to XXE. The likelihood of exploitation increases when applications handle arbitrary XML input from users without proper sanitization or when XML parsing libraries are not configured to disable external entity processing by default.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-13692?
Available Upgrade Options
- org.postgresql:postgresql
- >9.4.1212.jre6, <42.2.13 → Upgrade to 42.2.13
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13
- https://lists.apache.org/thread.html/r0478a1aa9ae0dbd79d8f7b38d0d93fa933ac232e2b430b6f31a103c0@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/r7f6d019839df17646ffd0046a99146cacf40492a6c92078f65fd32e0%40%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/rb89f92aba44f524d5c270e0c44ca7aec4704691c37fe106cf73ec977@%3Cnotifications.netbeans.apache.org%3E
- https://lists.apache.org/thread.html/r01ae1b3d981cf2e563e9b5b0a6ea54fb3cac8e9a0512ee5269e3420e%40%3Ccommits.camel.apache.org%3E
- https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65
- https://www.debian.org/security/2022/dsa-5196
- https://lists.apache.org/thread.html/rfe363bf3a46d440ad57fd05c0e313025c7218364bbdc5fd8622ea7ae@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/r7f6d019839df17646ffd0046a99146cacf40492a6c92078f65fd32e0@%3Ccommits.camel.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCCAPM6FSNOC272DLSNQ6YHXS3OMHGJC
What are Similar Vulnerabilities to CVE-2020-13692?
Similar Vulnerabilities: CVE-2017-1000078 , CVE-2017-7497 , CVE-2017-12629 , CVE-2018-1000850 , CVE-2021-23337
