Miggo Logo

CVE-2019-5312: XML External Entity Reference in weixin-java-tools

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.64226%
Published
5/14/2022
Updated
1/8/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.github.binarywang:weixin-java-commonmaven< 3.3.2.B3.3.2.B

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from XML parsing in getXmlDoc() where DocumentBuilderFactory was configured with setExpandEntityReferences(false) but lacked setFeature("http://apache.org/xml/features/disallow-doctype-decl", true). This allowed DOCTYPE declarations and external entity references. The patched commit 8ec61d1 explicitly adds this missing feature in getXmlDoc(), confirming this was the vulnerable function. The test case in BaseWxPayResultTest.java also demonstrates XXE exploitation attempts against this method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in w*ixin-j*v*-tools. T**r* is *n XX* vuln*r**ility in t** **tXml*o* m*t*o* o* t** **s*WxP*yR*sult.j*v* *il*. NOT*: t*is issu* *xists ****us* o* *n in*ompl*t* *ix *or *V*-****-*****.

Reasoning

T** vuln*r**ility st*ms *rom XML p*rsin* in `**tXml*o*()` w**r* `*o*um*nt*uil**r***tory` w*s *on*i*ur** wit* `s*t*xp*n**ntityR***r*n**s(**ls*)` *ut l**k** `s*t***tur*("*ttp://*p****.or*/xml/***tur*s/*is*llow-*o*typ*-***l", tru*)`. T*is *llow** *O*TYP