Miggo Logo
Miggo Vulnerability Database
CVE-2018-20059

CVE-2018-20059: Improper Restriction of XML External Entity Reference in pippo-core

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-20059
GHSA ID
GHSA-rmm5-g63h-m6g9
EPSS Score
0.60135%
CWE
CWE-611
Published
12/19/2018
Updated
3/4/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ro.pippo:pippo-coremaven< 1.12.01.12.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe XML parsing in JaxbEngine's deserialization method. The pre-patch code directly used JAXB's Unmarshaller on a StringReader without security configurations. The critical fix introduced XMLInputFactory with IS_SUPPORTING_EXTERNAL_ENTITIES=false to block XXE, confirming the vulnerability existed in the original fromString method. The method's responsibility for XML deserialization and the patch's focus on this function directly correlate to the XXE vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

j*x*/J*x**n*in*.j*v* in Pippo *.**.* *llows XX*.

Reasoning

T** vuln*r**ility st*ms *rom uns*** XML p*rsin* in J*x**n*in*'s **s*ri*liz*tion m*t*o*. T** pr*-p*t** *o** *ir**tly us** J*X*'s Unm*rs**ll*r on * Strin*R****r wit*out s**urity *on*i*ur*tions. T** *riti**l *ix intro*u*** XMLInput***tory wit* IS_SUPPOR