GHSA-763G-FQQ7-48WG

Vulnerability from github – Published: 2020-01-31 18:00 – Updated: 2021-08-19 16:49
VLAI?
Summary
XML external entity (XXE) processing ('external-parameter-entities' feature was not fully disabled))
Details

Due to an incomplete fix for CVE-2019-9658, checkstyle was still vulnerable to XML External Entity (XXE) Processing.

Impact

User: Build Maintainers

This vulnerability probably doesn't impact Maven/Gradle users as, in most cases, these builds are processing files that are trusted, or pre-vetted by a pull request reviewer before being run on internal CI infrastructure.

User: Static Analysis as a Service

If you operate a site/service that parses "untrusted" Checkstyle XML configuration files, you are vulnerable to this and should patch.

Note from the discoverer of the original CVE-2019-9658:

While looking at a few companies that run Checkstyle/PMD/ect... as a service I notice that it's a common pattern to run the static code analysis tool inside of a Docker container with the following flags: --net=none \ --privileged=false \ --cap-drop=ALL Running the analysis in Docker has the advantage that there should be no sensitive local file information that XXE can exfiltrate from the container. Additionally, these flags prevent vulnerabilities in static analysis tools like Checkstyle from being used to exfiltrate data via XXE or to perform SSRF. - Jonathan Leitschuh

Patches

Has the problem been patched? What versions should users upgrade to?

Patched, will be released with version 8.29 at 26 Jan 2020.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

No workaround are available

References

For more information

If you have any questions or comments about this advisory: * Open an issue in https://github.com/checkstyle/checkstyle/issues

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.puppycrawl.tools:checkstyle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-31T17:58:17Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Due to an incomplete fix for [CVE-2019-9658](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658), checkstyle was still vulnerable to XML External Entity (XXE) Processing.\n\n### Impact\n\n#### User: Build Maintainers\n\nThis vulnerability probably doesn\u0027t impact Maven/Gradle users as, in most cases, these builds are processing files that are trusted, or pre-vetted by a pull request reviewer before being run on internal CI infrastructure.\n\n#### User: Static Analysis as a Service\n\nIf you operate a site/service that parses \"untrusted\" Checkstyle XML configuration files, you are vulnerable to this and should patch.\n\nNote from the discoverer of the original CVE-2019-9658:\n\n\u003e While looking at a few companies that run Checkstyle/PMD/ect... as a service I notice that it\u0027s a common pattern to run the static code analysis tool inside of a Docker container with the following flags:\n\u003e ```\n\u003e --net=none \\\n\u003e --privileged=false \\\n\u003e --cap-drop=ALL\n\u003e ```\n\u003e Running the analysis in Docker has the advantage that there should be no sensitive local file information that XXE can exfiltrate from the container. Additionally, these flags prevent vulnerabilities in static analysis tools like Checkstyle from being used to exfiltrate data via XXE or to perform SSRF.\n\u003e \\- [Jonathan Leitschuh](https://twitter.com/jlleitschuh)\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nPatched, will be released with version 8.29 at 26 Jan 2020.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nNo workaround are available\n\n### References\n\n - [CWE-611: Improper Restriction of XML External Entity Reference](https://cwe.mitre.org/data/definitions/611.html)\n - GitHub Issue https://github.com/checkstyle/checkstyle/issues/7468\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in https://github.com/checkstyle/checkstyle/issues\n",
  "id": "GHSA-763g-fqq7-48wg",
  "modified": "2021-08-19T16:49:30Z",
  "published": "2020-01-31T18:00:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/checkstyle/checkstyle/security/advisories/GHSA-763g-fqq7-48wg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/checkstyle/checkstyle/issues/7468"
    },
    {
      "type": "WEB",
      "url": "https://github.com/checkstyle/checkstyle/commit/c46a16d177e6797895b195c288ae9a9a096254b8"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540@%3Ccommits.nifi.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-COMPUPPYCRAWLTOOLS-543266"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML external entity (XXE) processing (\u0027external-parameter-entities\u0027 feature was not fully disabled))"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.