CVE-2020-14338
XML External Entity (XXE) vulnerability in xercesImpl (Maven)
What is CVE-2020-14338 About?
This XML External Entity (XXE) vulnerability in Wildfly's implementation of Xerces allows for manipulation of the XML validation process via specially crafted XML. This flaw can lead to information disclosure or server-side request forgery, and exploitation requires an attacker to be able to supply malicious XML, making it moderately complex.
Affected Software
Technical Details
The flaw exists in Wildfly's implementation of Xerces, specifically within the XMLSchemaValidator class in the JAXP component (versions before 2.12.0.SP3). The vulnerability stems from an improper enforcement of the "use-grammar-pool-only" feature. This misconfiguration or oversight allows a specially crafted XML file to bypass or manipulate XML schema validation. An attacker can craft an XML document that contains malicious DTDs (Document Type Definitions) or external entity references. When this XML is processed by the vulnerable Xerces component, it may resolve external entities, potentially retrieving local files from the server or making arbitrary network requests (Server-Side Request Forgery - SSRF), leading to information disclosure or further attacks. This is a variation of a classic XXE attack, where the XML parser's behavior is subverted during validation.
What is the Impact of CVE-2020-14338?
Successful exploitation may allow attackers to disclose sensitive information from the server's file system, cause denial of service, perform server-side request forgery (SSRF), or potentially execute arbitrary code.
What is the Exploitability of CVE-2020-14338?
Exploitation of this vulnerability requires an attacker to submit a specially crafted XML file to an application endpoint that processes and validates XML using the vulnerable Wildfly Xerces component. The complexity is moderate, as it requires understanding XML entity declarations and the potential for out-of-band data retrieval. No authentication is typically required if the XML processing endpoint is exposed. This is generally a remote attack. No special privileges are usually required beyond being able to interact with the XML processing component. The primary condition is the use of a vulnerable Wildfly Xerces version (before 2.12.0.SP3) and an application that processes untrusted XML input without properly disabling external entity resolution or other XXE mitigations. An increased likelihood of exploitation occurs when XML input is accepted from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-14338?
Available Upgrade Options
- xerces:xercesImpl
- <2.12.0.sp3 → Upgrade to 2.12.0.sp3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://bugzilla.redhat.com/show_bug.cgi?id=1860054
- https://nvd.nist.gov/vuln/detail/CVE-2020-14338
- https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103@%3Cj-users.xerces.apache.org%3E
- https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103%40%3Cj-users.xerces.apache.org%3E
- https://osv.dev/vulnerability/GHSA-w4jq-qh47-hvjq
- https://bugzilla.redhat.com/show_bug.cgi?id=1860054
What are Similar Vulnerabilities to CVE-2020-14338?
Similar Vulnerabilities: CVE-2020-14621 , CVE-2019-17571 , CVE-2019-10086 , CVE-2018-11759 , CVE-2017-1000487
