Miggo Logo
Miggo Vulnerability Database
CVE-2020-13692

CVE-2020-13692: Improper Restriction of XML External Entity Reference

7.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-13692
GHSA ID
GHSA-88cc-g835-76rp
EPSS Score
0.84583%
CWE
CWE-611
Published
2/10/2022
Updated
5/15/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.postgresql:postgresqlmaven>= 9.4.1212.jre6, < 42.2.1342.2.13

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML factory instantiation in PgSQLXML methods. Pre-patch code used DocumentBuilderFactory.newInstance(), XMLInputFactory.newInstance(), and TransformerFactory.newInstance() without disabling DTD/external entities. The fix (commit 14b62ac) introduced PGXmlFactoryFactory to enforce secure configurations, confirming these functions were vulnerable. The affected methods directly handled XML parsing/transformation without proper XXE safeguards in versions <42.2.13.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Post*r*SQL J*** *riv*r (*k* P*J***) ***or* **.*.** *llows XX*.

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML ***tory inst*nti*tion in `P*SQLXML` m*t*o*s. Pr*-p*t** *o** us** `*o*um*nt*uil**r***tory.n*wInst*n**()`, `XMLInput***tory.n*wInst*n**()`, *n* `Tr*ns*orm*r***tory.n*wInst*n**()` wit*out *is**lin* *T*/*xt*rn*l