We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

XML Injection (aka Blind XPath Injection) in alovoa/alovoa

Valid

Reported on

Jul 23rd 2021

✍️ Description

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the SAML2AssertionValidator method. Access to external entities was not disabled in XML parsing.

🕵️‍♂️ Proof of Concept

<dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-client</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-jose</artifactId>
        </dependency>

💥 Impact

If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system.

Occurrences

pom.xml L64-L67

References

Affecting com.nimbusds:oauth2-oidc-sdk artifact, versions [5.0, 8.36.2) || [9.0, 9.3.1)

We have contacted a member of the alovoa team and are waiting to hear back 2 years ago

Nho Quy Dinh validated this vulnerability 2 years ago

Raptor has been awarded the disclosure bounty

The fix bounty is now up for grabs

Nho Quy Dinh marked this as fixed with commit f3b393 2 years ago

Nho Quy Dinh has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the alovoa team and are waiting to hear back 2 years ago

Nho Quy Dinh validated this vulnerability 2 years ago

Raptor has been awarded the disclosure bounty

The fix bounty is now up for grabs

Nho Quy Dinh marked this as fixed with commit f3b393 2 years ago

Nho Quy Dinh has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation