XML External Entity Vulnerability in Apache Cocoon StreamGenerator
CVE-2020-11991

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Cocoon
Vendor: CVE Published:; 11 September 2020

Summary

The vulnerability in the StreamGenerator of Apache Cocoon arises from the handling of user-provided XML data, which is subject to external entity processing. By crafting a malicious XML request that exploits this feature, an attacker can potentially gain unauthorized access to sensitive files on the server. This exposes significant risks to server integrity and confidentiality, as it allows the possibility of reading files and executing further attacks.

Affected Version(s)

Apache Cocoon Apache Cocoon 2.1.0 to 2.1.12

References

https://lists.apache.org/thread.html/r77add973ea521185e1a...

x_refsource_MISC

EPSS Score

89% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 11, 2020
Vulnerability Reserved
Apr 21, 2020