cbcvebase.
CVE-2020-11991
published 2020-09-11

CVE-2020-11991: When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any…

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.08%
99.4th percentile
When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.

Affected

1 ranges
VendorProductVersion rangeFixed in
apachecocoon2.1 – 2.1.12

Detection & IOCsextracted from sources · hover to see the quote

url/v2/api/product/manger/getInfo
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Cocoon XXE CVE-2020-11991"; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; content:"file|3a|//"; nocase; distance:0; reference:cve,2020-11991; classtype:attempted-admin; sid:2033641; rev:1;)
  • POST requests to /v2/api/product/manger/getInfo with Content-Type: text/xml and a body containing an XML DOCTYPE declaration with an external SYSTEM entity referencing file:// URIs are indicative of CVE-2020-11991 exploitation attempts.
  • Successful exploitation leaks /etc/passwd content; response bodies matching 'root:.*:0:0:' with HTTP 200 confirm file read via XXE.
  • Network-level detection: inspect HTTP POST bodies for co-occurrence of DOCTYPE, SYSTEM, and file:// (file|3a|//) tokens targeting Apache Cocoon endpoints.
  • Shodan/FOFA asset discovery: identify exposed Apache Cocoon instances via banner/body strings before targeted exploitation.
  • ·The vulnerable endpoint path (/v2/api/product/manger/getInfo) may be deployment-specific and not universal across all Apache Cocoon 2.1.12 installations; detections should not rely solely on this path.
  • ·The vulnerability is triggered specifically when the StreamGenerator component is in use; deployments not using StreamGenerator are not affected.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.