Skip to content

Post-Auth External Entity Expansion (XXE)

moderate
robinshine published GHSA-9pph-8gfc-6w2r Jan 11, 2021

Package

No package listed

Affected versions

<4.0.2

Patched versions

4.0.3

Description

Impact

When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing
the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. Eg:

<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<data>&file;</data>

If not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band.

This issue may lead to arbitrary file read

Patches

This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file

Credits

This issue was discovered by @pwntester

CVE ID

CVE-2021-21250