XXE Vulnerability in Apache Cocoon (CVE-2020-11991)

Last updated: 2020-12-15 15:20:27

    On September 11, 2020, the Apache Software Foundation issued a security advisory to fix the XXE vulnerability in Apache Cocoon (CVE-2020-11991).

    Vulnerability Details

    Apache Cocoon is a Spring-based framework built around the concepts of separation. All processing jobs under it are linearly connected by predefined processing components, which can process the inputs and generated outputs in a pipeline sequence. Its users include Apache Lenya, Daisy CMS, Hippo CMS, Mindquarry, etc. It is usually used as a data ETL tool or relay for data transfer between systems.

    CVE-2020-11991 is related to StreamGenerator. When using the StreamGenerator, Cocoon parses a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.

    Severity

    High

    Risks

    A specially crafted XML, including external system entities, could be used to access any file on the server system.

    Affected Versions

    Apache Cocoon <= 2.1.12

    Suggestions for Fix

    The vulnerability has been officially fixed in the new version. Tencent Security recommends you:

    • Upgrade to the latest version (2.1.13) of Apache Cocoon.
    • WAF supports detection of and defense against XXE vulnerabilities like CVE-2020-11991.

    Note:

    Back up your data before installing the patch to avoid accidental losses.

    References

    Official update notice: