Miggo Logo

CVE-2020-36641: aXMLRPC XML External Entity vulnerability

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.27023%
Published
1/5/2023
Updated
2/13/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
fr.turri:aXMLRPCmaven< 1.12.11.12.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the ResponseParser's XML parsing implementation. The commit ad6615b3 explicitly modifies the parse() method to add security features (disallow-doctype-decl, expandEntityReferences=false) that mitigate XXE. The CVE description directly references this function as the affected component, and the patch location confirms the vulnerability existed in the XML parser initialization within this method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility *l*ssi*i** *s pro*l*m*ti* w*s *oun* in *turri *XMLRP* up to *.**.*. T*is vuln*r**ility *****ts t** *un*tion `R*spons*P*rs*r` o* t** *il* `sr*/m*in/j*v*/**/timro*s/*xmlrp*/R*spons*P*rs*r.j*v*`. T** m*nipul*tion l***s to xml *xt*rn*l *n

Reasoning

T** vuln*r**ility st*ms *rom t** `R*spons*P*rs*r`'s XML p*rsin* impl*m*nt*tion. T** *ommit `********` *xpli*itly mo*i*i*s t** `p*rs*()` m*t*o* to *** s**urity ***tur*s (*is*llow-*o*typ*-***l, *xp*n**ntityR***r*n**s=**ls*) t**t miti**t* XX*. T** *V* *