-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
works only up to v2.1.0 #1
Comments
The test version used in the test case is also POC verified according to the latest v2.1.4, which is feasible on my side
…------------------ 原始邮件 ------------------
发件人: "joker-xiaoyan/XXE-SAXReader" ***@***.***>;
发送时间: 2023年10月27日(星期五) 下午4:34
***@***.***>;
***@***.***>;
主题: [joker-xiaoyan/XXE-SAXReader] works only up to v2.1.0 (Issue #1)
你好,
are you sure this works with the current version v2.1.4?
For me it only works if I use v2.1.0 (or disable the XXE prevention features).
BR, 马瑞麒
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
OK, I figured it out: |
ok! Thanks
…------------------ 原始邮件 ------------------
发件人: "joker-xiaoyan/XXE-SAXReader" ***@***.***>;
发送时间: 2023年10月27日(星期五) 下午5:10
***@***.***>;
***@***.******@***.***>;
主题: Re: [joker-xiaoyan/XXE-SAXReader] works only up to v2.1.0 (Issue #1)
OK, I figured it out:
It's not a vulnerability in dom4j, but in the underlying SAX parser.
In my case it didn't trigger the vulnerability, as I am using JDK17's embedded java.xml\com\sun\org\apache\xerces\internal\jaxp\SAXParserImpl.java
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: ***@***.***>
|
不客气 :-) |
Reference to dom4j issue: #dom4j/dom4j#171 |
can you say which sax parser your tests used or which JDK, since the feature flags are directly forwarded to the underlying xmlreader, it’s not dom4js direct fault. |
JDK8 |
@joker-xiaoyan Which specific JDK 8 vendor and version? I cannot replicate with Can you please considering withdrawing this CVE unless you can provide specific replication instructions? Even if there is a problem with the underlying |
I am using version 1.8.0.371 of jdk |
Thanks @joker-xiaoyan. I still cannot replicate this with
With
With
I expect to see a stack trace with Can you please share your Line 8 in 8c0d24f
Please also confirm whether it is Lines 15 to 20 in 8c0d24f
|
Um, you're right. I tried to reproduce the phenomenon in version 2.1.4 on my computer and found that it couldn't trigger the issue of external referencing XML files again. However, I'm glad that the leaders can pay attention to this matter and apologize again for disturbing everyone. I will work harder to learn Java in the future, analyze the sink points clearly, and submit CVE instead of simply discovering issues like:>
…------------------ 原始邮件 ------------------
发件人: "Chad ***@***.***>;
发送时间: 2023年10月28日(星期六) 晚上6:29
收件人: ***@***.***>;
抄送: ***@***.***>; ***@***.***>;
主题: Re: [joker-xiaoyan/XXE-SAXReader] works only up to v2.1.0 (Issue #1)
Thanks @joker-xiaoyan.
I still cannot replicate this with liberica-8u372+7 and dom4j 2.1.4 (which is the fuller patch release corresponding to 371).
$ /Users/chad/.local/share/rtx/installs/java/liberica-8u372+7/bin/java -version openjdk version "1.8.0_372" OpenJDK Runtime Environment (build 1.8.0_372-b07) OpenJDK 64-Bit Server VM (build 25.372-b07, mixed mode)
With xxe_payload1
$ /Users/chad/.local/share/rtx/installs/java/liberica-8u372+7/bin/java -classpath /Users/chad/Projects/community/XXE-SAXReader/target/classes:/Users/chad/.m2/repository/org/dom4j/dom4j/2.1.4/dom4j-2.1.4.jar xxeSAXReader start
With xxe_payload2
$ /Users/chad/.local/share/rtx/installs/java/liberica-8u372+7/bin/java -classpath /Users/chad/Projects/community/XXE-SAXReader/target/classes:/Users/chad/.m2/repository/org/dom4j/dom4j/2.1.4/dom4j-2.1.4.jar xxeSAXReader start
I expect to see a stack trace with java.net.ConnectException: Connection refused (Connection refused) or similar due to trying to resolve an external location, but don't see it.
Can you please share your java -version, full classpath and output/stack trace and validate you are using the code in the POC here? The code here doesn't actually compile as the class is named differently to the file which is disallowed in Java, so you must have some difference.
https://github.com/joker-xiaoyan/XXE-SAXReader/blob/8c0d24f9800c36c8ad36457c1df1e4aaff24c7b9/POC.java#L8
Please also confirm whether it is xxe_payload1 or xxe_payload2 that you are getting an error with? (the sample code defaults to xxe-payload1). Perhaps you are accidentally using an older dom4j version and this is a duplicate of https://nvd.nist.gov/vuln/detail/CVE-2020-10683 (allowing external DTDs)
https://github.com/joker-xiaoyan/XXE-SAXReader/blob/8c0d24f9800c36c8ad36457c1df1e4aaff24c7b9/POC.java#L15-L20
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Alright, thank you. It would be helpful if you can email MITRE to withdraw the CVE - the process usually goes faster if the original submitter asks for the CVE Numbering Authority to withdraw than if a separate person does. |
OK
…------------------ 原始邮件 ------------------
发件人: "Chad ***@***.***>;
发送时间: 2023年10月28日(星期六) 晚上7:14
收件人: ***@***.***>;
抄送: ***@***.***>; ***@***.***>;
主题: Re: [joker-xiaoyan/XXE-SAXReader] works only up to v2.1.0 (Issue #1)
好的,谢谢。
这将是有益的,如果你可以电子邮件MITRE撤回CVE-这个过程通常会更快,如果原来的提交者要求CVE编号管理局撤回比如果一个单独的人做。
-
直接回复这封邮件,在GitHub上查看,或取消订阅.
你收到这个是因为你被提到了。消息ID:<笑颜/ XX - SAX 阅读器/期刊/ 1 / ***@***.***和>
|
@joker-xiaoyan , is the required action (action mentioned by @chadlwilson in previous update) taken to resolve the issue ? |
Personally I have also asked MITRE to withdraw it but have not received a response. For now it is just marked as disputed and an extra link added to this discussion but it is not yet withdrawn: https://www.cve.org/CVERecord?id=CVE-2023-45960 Also asked Sonatype OSSIndex to detach it from dom4j. |
Hello @joker-xiaoyan - did you contact MITRE to via https://cveform.mitre.org/ to ask them to reject/ withdraw the CVE at https://www.cve.org/CVERecord?id=CVE-2023-45960 ? While it's marked as 'disputed' it is not withdrawn/rejected which means it is still creating confusion in other databases including the NIST NVD. |
@chadlwilson and @joker-xiaoyan I am a NIST employee who serves on the CVE Board. I wanted to let you know that I have raised this issue with the CVE Board. While I cannot promise a resolution, I am going to do my best to get this record rejected in the CVE Program's CVE list for you. I personally believe this is the right thing to do in this case. If the CVE is rejected, the NVD will get updated accordingly. |
👋 @david-waltermire-nist - thanks, that sounds great! |
This CVE was rejected. |
你好,
are you sure this works with the current version v2.1.4?
For me it only works if I use v2.1.0 (or disable the XXE prevention features).
BR, 马瑞麒
The text was updated successfully, but these errors were encountered: