On September 11, 2020, the Apache Software Foundation issued a security advisory to fix the XXE vulnerability in Apache Cocoon (CVE-2020-11991).
Apache Cocoon is a Spring-based framework built around the concepts of separation. All processing jobs under it are linearly connected by predefined processing components, which can process the inputs and generated outputs in a pipeline sequence. Its users include Apache Lenya, Daisy CMS, Hippo CMS, Mindquarry, etc. It is usually used as a data ETL tool or relay for data transfer between systems.
CVE-2020-11991 is related to StreamGenerator. When using the StreamGenerator, Cocoon parses a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.
A specially crafted XML, including external system entities, could be used to access any file on the server system.
Apache Cocoon <= 2.1.12
The vulnerability has been officially fixed in the new version. Tencent Security recommends you:
Back up your data before installing the patch to avoid accidental losses.
Official update notice: