Miggo Logo
Miggo Vulnerability Database
CVE-2021-43142

CVE-2021-43142:
Improper Restriction of XML External Entity Reference in wutka jox

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-43142
GHSA ID
GHSA-fcrx-8829-jpqx
EPSS Score
0.53463%
CWE
CWE-611
Published
4/1/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.wutka:joxmaven<= 1.16

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies the readObject method in JOXSAXBeanInput as the source. Technical analysis from the blog shows this method directly uses SAXParser.parse() without configuring XML security features like FEATURE_SECURE_PROCESSING or disabling DTDs. The POC demonstrates XXE exploitation through this method. Java package naming conventions suggest the class would be in com/wutka/jox path. The direct match between advisory details and code analysis gives high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n XML *xt*rn*l *ntity (XX*) vuln*r**ility *xists in wutk* jox *.** in t** r***O*j**t m*t*o* in JOXS*X***nInput.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** r***O*j**t m*t*o* in JOXS*X***nInput *s t** sour**. T***ni**l *n*lysis *rom t** *lo* s*ows t*is m*t*o* *ir**tly us*s S*XP*rs*r.p*rs*() wit*out *on*i*urin* XML s**urity ***tur*s lik* ***TUR*_S**U