23 Oct Security Advisory – SOS-19-001 – XML External Entities Injection (XXE) in XNAT 1.7
Inteset Secure Lockdown Standard Edition – Privilege Escalation and Insecure Cryptographic Storage.
Release Date: 23-Oct-2019
Last Update: –
Vendor Notification Date: 09-Jul-2019
Platform: Linux and possibly others
Affected versions: 18.104.22.168 (confirmed) and possibly earlier versions
Severity Rating: High
Impact: System Access
Attack Vector: Remote with authentication
Solution Status: XNAT 22.214.171.124 Hotfix Release
CVE reference: CVE – 2019-14276
An XML External Entity (XXE) vulnerability is an attack against an application that parses XML input. Importing an XML file that contains an XML external entity to the XNAT application permits an attacker to retrieve a local file from the web server. The attacker must be authenticated to the application. This attack occurs when XML input contains a reference to an external entity such as a local file on the web server. Common targets include configuration files, e.g. ASP.NET web.config or Linux password files, e.g. /etc/shadow.
The following URL is affected: /REST/search
Please refer to the PDF version of this advisory for proof of concept code examples.
Apply patch from XNAT 126.96.36.199 Hotfix Release.
Additional information is available at:
Hamed Merati from Sense of Security Labs.