GHSA-6hvf-xvwm-vrw4
XML Parsing vulnerability in xmltooling (Maven)
What is GHSA-6hvf-xvwm-vrw4 About?
The XMLTooling library, used by OpenSAML and Shibboleth Service Provider, is vulnerable to an exception handling flaw in its XML parsing component. Invalid data within an XML declaration can cause an unhandled exception, potentially leading to application instability or Denial of Service. The ease of exploitation is moderate, requiring sending crafted XML.
Affected Software
Technical Details
The XMLTooling library, in all versions prior to V3.0.4, contains a vulnerability within its XML parsing class related to improper exception handling. Specifically, when the parser encounters invalid data within the XML declaration of an incoming XML document, it can trigger an exception type that is not properly caught or handled by the parser's error management routines. This unhandled exception then propagates up the call stack, potentially bypassing application-level error handling. The propagation of an unexpected exception type can lead to an abrupt termination of the parsing process, an application crash, or an unstable state, effectively leading to a Denial of Service (DoS) for services relying on this parsing functionality, such as OpenSAML or Shibboleth Service Provider.
What is the Impact of GHSA-6hvf-xvwm-vrw4?
Successful exploitation may allow attackers to cause application crashes or instability, leading to a Denial of Service condition.
What is the Exploitability of GHSA-6hvf-xvwm-vrw4?
Exploitation is of moderate complexity. It requires an attacker to send specially crafted XML data to an application that uses a vulnerable version of XMLTooling for parsing, such as OpenSAML or Shibboleth Service Provider. Prerequisites include the ability to submit XML input to the target application. Authentication requirements depend on whether the XML parsing is performed on unauthenticated inputs or protected channels, but generally, attacks targeting parsing often occur before full authentication. Privilege requirements are low, as the attack targets the parsing logic itself. This is a remote attack, commonly over HTTP/HTTPS, by sending malicious XML in a request body or file upload. The special condition is crafting the XML declaration with invalid data in a way that triggers the specific unhandled exception. Risk factors increase if the application publicly exposes endpoints that accept and parse XML from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-6hvf-xvwm-vrw4?
Available Upgrade Options
- org.opensaml:xmltooling
- <3.0.4 → Upgrade to 3.0.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories
- https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912
- https://security.netapp.com/advisory/ntap-20190611-0003
- https://shibboleth.net/community/advisories/secadv_20190311.txt
- https://usn.ubuntu.com/3921-1
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.html
- https://osv.dev/vulnerability/GHSA-6hvf-xvwm-vrw4
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-9628
What are Similar Vulnerabilities to GHSA-6hvf-xvwm-vrw4?
Similar Vulnerabilities: CVE-2017-1000164 , CVE-2018-12534 , CVE-2019-10086 , CVE-2020-5398 , CVE-2021-3923
