XML Injection (aka Blind XPath Injection) in alovoa/alovoa

Valid

Reported on

Jul 23rd 2021


✍️ Description

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the SAML2AssertionValidator method. Access to external entities was not disabled in XML parsing.

🕵️‍♂️ Proof of Concept

<dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-client</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-jose</artifactId>
        </dependency>

💥 Impact

If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system.

We have contacted a member of the alovoa team and are waiting to hear back 4 months ago
Nho Quy Dinh validated this vulnerability 4 months ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nho Quy Dinh confirmed that a fix has been merged on f3b393 4 months ago
Nho Quy Dinh has been awarded the fix bounty