Miggo Logo

CVE-2022-23640: Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.55524%
Published
3/2/2022
Updated
7/24/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.monitorjbl:xlsx-streamermaven< 2.1.02.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure default XML parser configurations. While the exact file/function names aren't visible in available resources, the commit message and advisory explicitly state the root cause was missing security settings in the XML parser. All versions <2.1.0 used Apache Xerces/Xerces2-j without properly setting features like FEATURE_SECURE_PROCESSING, DISALLOW_DOCTYPE_DECL, or LOAD_EXTERNAL_DTD. These settings are typically configured in XML parser initialization code, making parser setup functions the logical vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Prior to xlsx-str**m*r *.*.*, t** XML p*rs*r t**t w*s us** *i* not *pply *ll t** n***ss*ry s*ttin*s to pr*v*nt XML *ntity *xp*nsion issu*s. ### P*t***s Up*r*** to v*rsion *.*.*. ### Work*roun*s No known work*roun*. ### R***r*n**s *ttps:

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* ****ult XML p*rs*r *on*i*ur*tions. W*il* t** *x**t *il*/*un*tion n*m*s *r*n't visi*l* in *v*il**l* r*sour**s, t** *ommit m*ss*** *n* **visory *xpli*itly st*t* t** root **us* w*s missin* s**urity s*ttin*s in t** X