Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API Validation XML Schemas do not forbid file system access (XXE) #1021

Closed
brianwrf opened this issue Sep 27, 2018 · 7 comments
Closed

API Validation XML Schemas do not forbid file system access (XXE) #1021

brianwrf opened this issue Sep 27, 2018 · 7 comments
Assignees
@pmlopes
Labels
bug
Milestone
3.5.4

Comments

@brianwrf
Copy link

Version

  • vert.x web: <= 3.5.3

Context

Just found a potential XXE vulnerability in vertx-web as show below, it seems function isValid didn't add any protection from XXE vulnerability when parsing XML document.

https://github.com/vert-x3/vertx-web/blob/3.5.3/vertx-web-api-contract/src/main/java/io/vertx/ext/web/api/validation/impl/XMLTypeValidator.java#L34

Mitigation

Follow the OWASP guide below which provides concise information to prevent this vulnerability. https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java
@brianwrf brianwrf mentioned this issue Sep 27, 2018
Closed
@pmlopes pmlopes self-assigned this Sep 27, 2018
@pmlopes pmlopes mentioned this issue Sep 28, 2018
Merged
@vietj vietj added this to the 3.5.4 milestone Sep 28, 2018
@pmlopes pmlopes removed the to review label Sep 28, 2018
pmlopes added a commit that referenced this issue Sep 28, 2018
@pmlopes
Merge pull request #1022 from /issues/1021
ea0b093 
Issues/1021
@vietj vietj mentioned this issue Sep 28, 2018
Closed
22 tasks
@brianwrf
Copy link
Author

@pmlopes Thanks for the fast fix. Is there a CVE announcement on this issue?

Cheers,
Brian

@pmlopes pmlopes changed the title Potential XXE vulnerability in vertx-web API Validation XML Schemas do not forbid file system access (XXE) Sep 28, 2018
@vietj
Copy link
Contributor

vietj commented Sep 28, 2018

@brianwrf there might be one indeed

@brianwrf
Copy link
Author

@vietj Thanks for your response. Can you kindly please keep me updated if the CVE announcement is ready?

@vietj
Copy link
Contributor

vietj commented Sep 28, 2018

it will be part of the 3.5.4 release notes, so just watch this

@pmlopes
Copy link
Member

pmlopes commented Sep 28, 2018
edited
Loading

Note

This issue is not affected by user/application input, but only by badly crafted application configuration. Users using the api contracts module with the default settings are not affected, only if explicitly enabled the XML validation and provided a malicious XSD as input.

@brianwrf
Copy link
Author

@vietj @pmlopes Thanks for the confirmation.

@vietj
Copy link
Contributor

vietj commented Oct 3, 2018

This has been identified as CVE-2018-12544 - the CVE has not yet been fulfilled at the moment of writing this but it will be soon

@vietj vietj added the bug label Oct 3, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pmlopes pmlopes

Labels
bug
Milestone
3.5.4
Development

No branches or pull requests
3 participants
@vietj @pmlopes @brianwrf