Kiuwan SAST Vulnerability: XML External Entity Injection Attack
CVE-2023-49110

7.2HIGH

Key Information:

Vendor: Kiuwan
Status: Sast
Vendor: CVE Published:; 20 June 2024

What is CVE-2023-49110?

The vulnerability in Kiuwan SAST arises during the server-side processing of XML files contained in ZIP archives uploaded from the Kiuwan Local Analyzer. When external XML entities are resolved, an attacker with scanning privileges can exploit this to access sensitive files on the operating system. This can lead to extraction of confidential data like passwords and configuration files. Furthermore, this flaw opens pathways for initiating connections to internal systems, allowing further attacks such as port scans or unauthorized access to internal applications.

Affected Version(s)

SAST <master.1808.p685.q13371

References

https://r.sec-consult.com/kiuwan

third-party-advisory

https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+C...

release-notes

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2024
Vulnerability Reserved
Nov 22, 2023

Credit

Constantin Schwarz

Johannes Greil

CVE-2023-49110 Data

JSON