CVE-2020-11991
published 2020-09-11CVE-2020-11991: When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any…
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.08%
99.4th percentile
When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | cocoon | 2.1 – 2.1.12 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Cocoon XXE CVE-2020-11991"; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; content:"file|3a|//"; nocase; distance:0; reference:cve,2020-11991; classtype:attempted-admin; sid:2033641; rev:1;)
- →POST requests to /v2/api/product/manger/getInfo with Content-Type: text/xml and a body containing an XML DOCTYPE declaration with an external SYSTEM entity referencing file:// URIs are indicative of CVE-2020-11991 exploitation attempts. ↗
- →Successful exploitation leaks /etc/passwd content; response bodies matching 'root:.*:0:0:' with HTTP 200 confirm file read via XXE. ↗
- →Network-level detection: inspect HTTP POST bodies for co-occurrence of DOCTYPE, SYSTEM, and file:// (file|3a|//) tokens targeting Apache Cocoon endpoints. ↗
- →Shodan/FOFA asset discovery: identify exposed Apache Cocoon instances via banner/body strings before targeted exploitation. ↗
- ·The vulnerable endpoint path (/v2/api/product/manger/getInfo) may be deployment-specific and not universal across all Apache Cocoon 2.1.12 installations; detections should not rely solely on this path. ↗
- ·The vulnerability is triggered specifically when the StreamGenerator component is in use; deployments not using StreamGenerator are not affected. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-586v-g7r5-mhgp: When using the StreamGenerator, the code parse a user-provided XML
ghsa_unreviewed·2022-05-24
CVE-2020-11991 [HIGH] GHSA-586v-g7r5-mhgp: When using the StreamGenerator, the code parse a user-provided XML
When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.
VulnCheck
Apache cocoon Improper Restriction of XML External Entity Reference
vulncheck·2020·CVSS 7.5
CVE-2020-11991 [HIGH] Apache cocoon Improper Restriction of XML External Entity Reference
Apache cocoon Improper Restriction of XML External Entity Reference
When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.
Affected: Apache cocoon
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-25&host_type=src&vulnerability=cve-2020-11991; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-01&host_type=src&vulnerability=cve-2020-11991; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/
Suricata
ET EXPLOIT Apache Cocoon <= 2.1.x LFI (CVE-2020-11991)
suricata·2021-08-02·CVSS 7.5
CVE-2020-11991 [HIGH] ET EXPLOIT Apache Cocoon <= 2.1.x LFI (CVE-2020-11991)
ET EXPLOIT Apache Cocoon $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Cocoon ]+?\s+?SYSTEM\s/Ri"; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; content:"file|3a|//"; nocase; distance:0; reference:url,www.cnblogs.com/0day-li/p/13663350.html; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-11991; classtype:attempted-admin; sid:2033641; rev:1; metadata:created_at 2021_08_02, cve CVE_2020_11991, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_08_02;)
Nuclei
Apache Cocoon 2.1.12 - XML Injection
nuclei·CVSS 7.5
CVE-2020-11991 [HIGH] Apache Cocoon 2.1.12 - XML Injection
Apache Cocoon 2.1.12 - XML Injection
Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.
Template:
id: CVE-2020-11991
info:
name: Apache Cocoon 2.1.12 - XML Injection
author: pikpikcu
severity: high
description: Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and remote code execution.
remediation: Upgrade to Apache C
No writeups or analysis indexed.
2020-09-11
Published
Exploited in the wild