Miggo Logo

CVE-2020-25020: Improper Restriction of XML External Entity Reference in MPXJ

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.82858%
Published
5/7/2021
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
net.sf.mpxj:mpxjmaven< 8.1.48.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper XML parsing configurations in GanttProjectReader and PhoenixReader components. The commit diff shows the fix involved adding XMLReaderHelper with 'disallow-doctype-decl' feature to prevent XXE. Prior to this fix, these readers used standard JAXB unmarshalling without secure XML parser settings, making them vulnerable to XXE via malicious XML entities. The advisory explicitly names these components as affected, and the patch directly addresses their XML handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

"MPXJ t*rou** *.*.* *llows XX* *tt**ks. T*is *****ts t** **nttProj**tR****r *n* P*o*nixR****r *ompon*nts."

Reasoning

T** vuln*r**ility st*ms *rom improp*r XML p*rsin* *on*i*ur*tions in **nttProj**tR****r *n* P*o*nixR****r *ompon*nts. T** *ommit *i** s*ows t** *ix involv** ***in* XMLR****r**lp*r wit* '*is*llow-*o*typ*-***l' ***tur* to pr*v*nt XX*. Prior to t*is *ix,