CVE-2019-7442
published 2019-05-08CVE-2019-7442: An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read…
PriorityP180critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
40.01%
98.4th percentile
An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a crafted DTD in the SAML authentication system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cyberark | enterprise_password_vault | <= 10.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherSAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d↗
- →Detect outbound HTTP GET requests from the PVWA server to external hosts fetching .dtd files, which indicates successful XXE out-of-band data exfiltration (e.g., GET /pepe.dtd). ↗
- →Alert on outbound HTTP GET requests from the PVWA server containing URL-encoded file content in the query string, indicating successful XXE file exfiltration via out-of-band channel. ↗
- →The XXE payload uses a crafted DTD with a parameter entity (%sp;) loaded from an external server, followed by a secondary parameter entity (%param1;) to exfiltrate data. Detect SAMLResponse values whose base64-decoded content contains '<!DOCTYPE', '<!ENTITY', '%sp;', or '%param1;'. ↗
- →The exploit targets the SAML authentication flow via HTTP POST with Content-Type: application/x-www-form-urlencoded to the PVWA endpoint. Inspect SAMLResponse POST parameter for XML DOCTYPE injection. ↗
- ·The XXE vulnerability is exploitable only when SAML authentication is enabled in the PVWA configuration. Environments not using SAML are not directly exposed via this attack vector. ↗
- ·The attack is unauthenticated — the malicious SAMLResponse payload is submitted to the pre-authentication SAML endpoint, meaning no valid credentials are required to trigger the XXE. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://packetstormsecurity.com/files/152801/CyberArk-Enterprise-Password-Vault-10.7-XML-External-Entity-Injection.htmlhttps://www.octority.com/2019/05/07/cyberark-enterprise-password-vault-xml-external-entity-xxe-injection/http://packetstormsecurity.com/files/152801/CyberArk-Enterprise-Password-Vault-10.7-XML-External-Entity-Injection.htmlhttps://www.octority.com/2019/05/07/cyberark-enterprise-password-vault-xml-external-entity-xxe-injection/
2019-05-08
Published