Description: An XXE vulnerability exists in LabKey Server due to an outdated Java library. This allows arbitrary files to be read from the server.
Versions Affected: LabKey Server 19.1.0
Researcher: David Yesland (https://twitter.com/daveysec)
Disclosure Link: https://rhinosecuritylabs.com/application-security/labkey-server-vulnerabilities-to-rce
NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-9757
The application parses SVG/XML data to render as an image if an external entity is used in the XML it is possible to render the contents of files into the image.
Within LabKey Server, export a report graph as a PNG and send the contents of CVE-2019-9757.svg with the POST request.
