Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-853

XML eXternal Entity (XXE) Vulnerability allows to read files from the server (CVE-2020-6856)

    XMLWordPrintable

Details

    • CVE-2020-6856

    Description

      Vulnerability

      • An XXE vulnerability was identified when processing XML input with JOC Cockpit, see https://en.wikipedia.org/wiki/XML_external_entity_attack
      • In some requests DOCTYPE entities can be added in a way that will disclose information that is available for the JOC Cockpit daemon's run-time OS account.
      • Severity Level: MEDIUM
        • In order to exploit the vulnerability, you must have a valid account in the JOC Cockpit application that allows you to perform a specific action. The attacker must therefore be the holder of account credentials with privileges for vulnerable views.

      Mitigation

      • If a request contains a DOCTYPE element then an error is raised an no information is disclosed.

      Attachments

        Activity

          People

            oh Oliver Haufe
            oh Oliver Haufe
            Santiago Aucejo Petzoldt Santiago Aucejo Petzoldt
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: