{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49110", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "state": "PUBLISHED", "assignerShortName": "SEC-VLab", "dateReserved": "2023-11-22T11:08:37.654Z", "datePublished": "2024-06-20T12:29:34.997Z", "dateUpdated": "2024-06-20T15:42:58.902Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "SAST", "vendor": "Kiuwan", "versions": [{"status": "affected", "version": "<master.1808.p685.q13371", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Constantin Schwarz"}, {"lang": "en", "type": "coordinator", "value": "Johannes Greil"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>When the Kiuwan Local Analyzer uploads the scan results to the Kiuwan SAST web \napplication (either on-premises or cloud/SaaS solution), the transmitted data \nconsists of a ZIP archive containing several files, some of them in the \nXML file format. During Kiuwan's server-side processing of these XML \nfiles, it resolves external XML entities, resulting in a XML external \nentity injection attack.&nbsp;<span style=\"background-color: var(--wht);\">An attacker with privileges to scan \nsource code within the \"Code Security\" module is able to extract any \nfiles of the operating system with the rights of the application server \nuser and is potentially able to gain sensitive files, such as \nconfiguration and passwords. Furthermore, this vulnerability also allows\n an attacker to initiate connections to internal systems, e.g. for port \nscans or accessing other internal functions / applications such as the \nWildfly admin console of Kiuwan.</span></p><p>This issue affects Kiuwan SAST: &lt;master.1808.p685.q13371</p>"}], "value": "When the Kiuwan Local Analyzer uploads the scan results to the Kiuwan SAST web \napplication (either on-premises or cloud/SaaS solution), the transmitted data \nconsists of a ZIP archive containing several files, some of them in the \nXML file format. During Kiuwan's server-side processing of these XML \nfiles, it resolves external XML entities, resulting in a XML external \nentity injection attack.\u00a0An attacker with privileges to scan \nsource code within the \"Code Security\" module is able to extract any \nfiles of the operating system with the rights of the application server \nuser and is potentially able to gain sensitive files, such as \nconfiguration and passwords. Furthermore, this vulnerability also allows\n an attacker to initiate connections to internal systems, e.g. for port \nscans or accessing other internal functions / applications such as the \nWildfly admin console of Kiuwan.\n\nThis issue affects Kiuwan SAST: <master.1808.p685.q13371"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2024-06-20T12:29:34.997Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://r.sec-consult.com/kiuwan"}, {"tags": ["release-notes"], "url": "https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The vendor provides a patched version master.1808.p685.q13371 which \nshould be installed immediately. See the changelog from the vendor:</p><p><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log\">https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log</a></p><ul><li>XML External Entity Injection =&gt; CVE-2023-49110 is SAS-6851 fixed on release 2024-02-06</li><li>Services Running as Root =&gt; is SAS-6856 and SAS-6857 fixed on release 2024-05-15</li><li>Reflected Cross-site-scripting =&gt; CVE-2023-49111 is SAS-6852 fixed on release 2024-02-06</li><li>Insecure Direct Object Reference =&gt; CVE-2023-49112 is SAS-6853 fixed on release 2024-02-06</li><li>Sensitive Data Stored Insecurely =&gt; CVE-2023-49113 is SAS-6854, SAS-6855, SAS-6858, and SAS-6859 fixed on release 2024-02-06</li></ul><p><br> The following upgrade guide was provided by the vendor:<br><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.kiuwan.com/docs/display/K5/Kiuwan+On-Premises+Distributed+Upgrade+Guide\">https://www.kiuwan.com/docs/display/K5/Kiuwan+On-Premises+Distributed+Upgrade+Guide</a></p><p><br>\n Although initially communicated otherwise during responsible disclosure\n in 2022-2023 (see timeline above), the vendor confirmed in 2024 that \nthe SaaS/cloud version is affected and will also be patched. The patch \ndate was 2024-02-05, version 2.8.2402.3.</p><p>SEC Consult also \nsubmitted further security issues to Kiuwan, such as Docker-related \nconfiguration issues which were also fixed during our responsible \ndisclosure.</p><ul><li>Sensitive Data Stored Insecurely for MySQL</li><li>Sensitive Data displayed for wildfly</li><li>Containers Running as root User</li><li>Containers running in the host network</li><li>Exposure of Internal Services</li></ul><br>"}], "value": "The vendor provides a patched version master.1808.p685.q13371 which \nshould be installed immediately. See the changelog from the vendor:\n\n https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log \n\n * XML External Entity Injection => CVE-2023-49110 is SAS-6851 fixed on release 2024-02-06\n * Services Running as Root => is SAS-6856 and SAS-6857 fixed on release 2024-05-15\n * Reflected Cross-site-scripting => CVE-2023-49111 is SAS-6852 fixed on release 2024-02-06\n * Insecure Direct Object Reference => CVE-2023-49112 is SAS-6853 fixed on release 2024-02-06\n * Sensitive Data Stored Insecurely => CVE-2023-49113 is SAS-6854, SAS-6855, SAS-6858, and SAS-6859 fixed on release 2024-02-06\n\n\n\n The following upgrade guide was provided by the vendor:\n https://www.kiuwan.com/docs/display/K5/Kiuwan+On-Premises+Distributed+Upgrade+Guide \n\n\n\n Although initially communicated otherwise during responsible disclosure\n in 2022-2023 (see timeline above), the vendor confirmed in 2024 that \nthe SaaS/cloud version is affected and will also be patched. The patch \ndate was 2024-02-05, version 2.8.2402.3.\n\nSEC Consult also \nsubmitted further security issues to Kiuwan, such as Docker-related \nconfiguration issues which were also fixed during our responsible \ndisclosure.\n\n * Sensitive Data Stored Insecurely for MySQL\n * Sensitive Data displayed for wildfly\n * Containers Running as root User\n * Containers running in the host network\n * Exposure of Internal Services"}], "source": {"discovery": "UNKNOWN"}, "title": "XML External Entity Injection in Kiuwan SAST", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "kiuwan", "product": "sast", "cpes": ["cpe:2.3:a:kiuwan:sast:0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.8.2402.3", "versionType": "custom"}]}, {"vendor": "kiuwan", "product": "local_analyzer", "cpes": ["cpe:2.3:a:kiuwan:local_analyzer:0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "master.1808.p685.q13371", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-06-20T15:39:20.547403Z", "id": "CVE-2023-49110", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-20T15:42:58.902Z"}}]}}

{"descriptions": [{"lang": "en", "value": "When the Kiuwan Local Analyzer uploads the scan results to the Kiuwan SAST web \napplication (either on-premises or cloud/SaaS solution), the transmitted data \nconsists of a ZIP archive containing several files, some of them in the \nXML file format. During Kiuwan's server-side processing of these XML \nfiles, it resolves external XML entities, resulting in a XML external \nentity injection attack.\u00a0An attacker with privileges to scan \nsource code within the \"Code Security\" module is able to extract any \nfiles of the operating system with the rights of the application server \nuser and is potentially able to gain sensitive files, such as \nconfiguration and passwords. Furthermore, this vulnerability also allows\n an attacker to initiate connections to internal systems, e.g. for port \nscans or accessing other internal functions / applications such as the \nWildfly admin console of Kiuwan.\n\nThis issue affects Kiuwan SAST: <master.1808.p685.q13371"}], "id": "CVE-2023-49110", "lastModified": "2024-06-20T16:07:50.417", "metrics": {}, "published": "2024-06-20T13:15:49.250", "references": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://r.sec-consult.com/kiuwan"}, {"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log"}], "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary"}]}

{}